Let’s start building security into the Internet of Things now, before everything becomes connected — and hackable.

The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion.

While there’s excitement about IoT’s potential to create new business and boost productivity and convenience, the technology community can’t forget about security. If there’s one thing IT professionals know, it’s that if something is connected to the Internet, someone will try to hack it.

Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We’ve already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors.

In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit.

[All work and no play make the IoT boring. See Playing Games With The Internet Of Things.]

Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity.

However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys.

A well-designed public key infrastructure (PKI) can cover some requirements regarding rollout and maintenance of large-scale encryption systems. However, IoT is not just a big “blob” in the cloud, but a collection of islands where each service provider — e.g., electric utilities, set-top box providers, consumer-goods manufacturers, and so on — has to manage its own keys on its own devices.

In some cases, encryption also may not always be an option. For instance, some low-power devices may lack the computational power necessary to encrypt and decrypt data.

Access control also presents a security challenge in an IoT world. When users are able to access an endpoint device, they’re able to access the entire system, so it’s necessary to have access control systems that manage user and device privileges.

Network administrators have to see the whole remote-access picture, including endpoints, VPNs, and the rest of the network infrastructure. Limiting network access, securing communications, and securing device access all need to be part of an IoT network security strategy.

There’s also the issue of software. As we’ve learned from years of exploits against servers, PCs, and smartphones, attackers will always find vulnerabilities or weaknesses in software that they can use to their advantage.

Organizations that build IoT devices must use secure software development practices to limit potential exploits. Meanwhile, IoT vendors and customers must ensure mechanisms are in place to apply patches or update software as necessary.

More security will certainly come with increased costs. However, this is the price that must be paid to reduce risks. In the long run, any additional costs will be well worth it to ensure corporate, employee, and customer data remain secure.

The Internet of Things has great potential to transform our lives. However, to provide the highest level of end-to-end security, IoT equipment and software have to be designed — from the start — with security in mind, giving consideration to how each component is being used, what type of data will be communicated, what connections will be made, and who will have access.

All communication modes/channels need to be thought through from a security standpoint, and reasonable security guidelines must be established and implemented for all connected devices.

The Internet has taught us the hard way that security has to be baked in, not bolted on afterwards, for maximum effectiveness. Let’s hope the technology community will apply this lesson to IoT.

This post originally appeared on InformationWeek.

Is your enterprise one of the many that are “subject to the whims of fickle consumer-business users” when it comes to adopting new technology?

That’s how Clorox CIO and vice president Ralph Loura framed the current state of enterprise tech and the Bring Your Own Device (BYOD) trend when he appeared earlier this month among a panel of other CIOs at the Westin St. Francis Hotel in San Francisco.

He couched his message by saying that even though enterprises may try to be user-centric, employees constantly make new technology demands—and change them often—making it difficult for enterprises to fulfill their every request, even if it would make life easier for users. With employees demanding network access for many different types of devices, operating systems and applications, a CIO’s job has never been harder. But do employees always know what’s best for network security?

According to Loura, “User-led is not the same as user-centric … User-centric is about looking at and understanding the need, not the ask.” A user-led approach gives power to employees and requires the enterprise to adopt most or all user suggestions – a clear risk.

And risk is not something Loura, like many CIOs, has ever been comfortable with. During a panel hosted by Okta Inc. back in April, he said that he is careful about innovation spend. He stays risk averse, yet searches for those investments that will yield the highest return.

In the case of enterprise tech, he said that when users ask him to support a new enterprise technology, i.e. hardware or application, he doesn’t automatically accept their request. Instead, he adds that suggestion to a pool of other related ones, weighs the user benefits with the risks, i.e. security, and then reconciles those factors before adopting the best all-around solution.

His message resonates in the discussion of BYOD versus the slightly more stringent CYOD (Choose Your Own Device) strategy, in which employees only have a limited number of approved devices to choose from. Loura would likely support CYOD because it puts a little more power back into the hands of the IT department. However, despite the benefits for IT control, CYOD’s growth is far surpassed by BYOD’s, and enterprises must adapt the way they create network security policies accordingly.

With security ranking as a top priority for IT departments this year, there’s been a real desire among network professionals to assert more control over networks, even as employees are given more technology decision-making power through BYOD policies. One important tool enterprise IT administrators can use to increase the security of their networks is a centrally managed VPN solution, which gives enterprises greater visibility into remote communications and provides them the option to revoke network access to endpoints that are not compliant with enterprise policies.

In a user-centric culture like the one Loura describes, CIOs would adopt VPNs that support whatever devices and operating systems employees choose, and still give IT departments control, through central management capabilities.

A centrally managed remote access solution also increases productivity by automating VPN client rollout and updates, and reduces IT help desk calls because this no longer has to be done manually. It also lowers documentation and training costs because user hands-on interaction is significantly reduced. These benefits provide a strong case for CIOs in search of that elusive high return on investment Loura mentions.

Finally, automation and ease-of-use free IT staff to focus on higher value activities. At the same time, it provides a higher level of security and more freedom for employees, while still maintaining IT control. Managing BYOD doesn’t need to be the headache it once was, with a user-centric approach and a centrally managed VPN.

The discussion on BYOD centers on whether employees working more efficiently on their personal devices is worth whatever network security vulnerabilities are sown when enterprises allow numerous devices and operating systems to access their networks.

As a compromise between employees and employers that brings everyone onto the same page, a BYOD policy helps. But, it doesn’t completely reconcile the interests of both employees and employers, as work efficiency and enhanced network security are far too often seen as mutually exclusive concepts.

That’s why new technologies that could help employers to secure mobile devices are so appealing. So, what are these technologies, and do they really provide any greater benefit than existing BYOD policies and approaches?

A ‘Kill Switch’ Could Give New Life to BYOD

A new bill working its way through the California legislature would require mobile device manufacturers to equip their products with a “kill switch” that would allow users to remotely disable phones should they get lost or stolen. The thinking is that if potential thieves knew there was a chance a stolen phone could be rendered useless by a kill switch, they would have less incentive to steal one.

If that bill, SB 962, becomes law and begins a national trend, could it also make BYOD more appealing to enterprises? No, according to FierceCIO contributor Jeff Rubin. The problem with kill switches, as a supplement, or even a full-fledged alternative, to BYOD policies, is that they don’t really place any power back in the hands of the enterprise. The device is still the employee’s, as is the decision to disable it. Legally, the employer cannot compel the employee to pull the plug.

Separate Containers, Less Risk?

Alternatively, an enterprise could issue a mobile device that has two distinct operating containers. In that circumstance, one environment within the device would solely contain apps and information used for work purposes, while the other would be for the employee’s personal use. In this scenario, IT departments would gain some degree of oversight and control over employee devices, and, as NetworkWorld points out, they’d be able to “enforce security such as authentication, encryption, data leakage, cut-and-paste restrictions and selective content wiping.”

But, just like kill switches, containerization has been maligned as a catch-all BYOD solution by the tech media. Last summer, CITEworld’s Ryan Faas wrote that the “dual persona” approach of containerization actually erases whatever advantage a user would gain from using their personal device at work. As Faas points out, containerization is simply a more extreme version of the pre-BYOD practice of giving employees “a locked-down and IT-controlled BlackBerry with just the apps on it that IT deemed necessary, and [letting] them carry their personal phone with them as well.” As an example, an employee with a dual-container device still couldn’t use, for work purposes, an app that hadn’t been approved by the IT department, even if he or she thinks doing so would make them more productive. Because the user is sacrificing control, they’ll either be less productive (since they can’t determine their own workflows or choose their own apps) or they’ll just work around IT restrictions (creating network security vulnerabilities).

As NCP engineering’s Joerg Hirschmann said in a ZDNet article, “IOS and Android have started down a useful path by adding access controls… but these are far from a comprehensive in-depth security framework. The server operating systems, applications, databases, and networks must all be considered as well.”

This, Hirschmann believes, “leads to the requirement for careful planning, monitoring, and sophisticated firewalls and even to the use of virtual private networks. “

Defense In Depth: An End-to-End Alternative

A deeper critique of new mobile device security technologies like kill switches and containerization reveals that both approaches only partially address the security concerns associated with BYOD, and their benefits come with significant drawbacks.

A defense in depth strategy, on the other hand, helps to insulate organizations from attack through otherwise vulnerable endpoints, without robbing employees of the control and flexibility BYOD provides them. Through built-in redundancy, a defense in depth approach helps to prevent, and possibly even stop, attacks before they become destabilizing. Sophisticated firewalls and centrally managed VPN services, for example, create a secure, encrypted connection through which employees can access a corporate network. In conjunction with other mobile device security technologies and a BYOD policy that clearly lays out expectations to employees, defense in depth increases the resilience of network security.

The Department of Homeland Security (DHS) issued a warning last week that the computer network of a public utility company had been compromised by a “sophisticated threat actor,” likely through a brute force password attack.

Although the utility company repelled the attack, and there is no evidence that operations were affected, the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released news of the incident in its January-April 2014 report to highlight “the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.”

This attack illustrates why the infiltration of government infrastructure is such a serious national security concern. Just a few months ago, the Federal Energy Regulatory Commission reported that a coordinated attack on even just nine of the country’s 55,000 electrical-transmission substations could cause a “coast-to-coast blackout.”

Given these stakes, government agencies have a responsibility to provide the highest level of security to all endpoints, from legacy ICS terminals to employees’ personal mobile devices, especially in an era where Advanced Persistent Threats (APTs) are becoming commonplace. Every endpoint must now be secured, because hackers are constantly searching for new vectors they can exploit. At the same time, the government has to secure more endpoints than ever, as employees are increasingly connecting to government networks remotely due to the growing Bring Your Own Device (BYOD) and telecommuting trends. These converging sea changes require the government to rethink its network security approach.

In August 2012, the Digital Services Advisory Group and Federal Chief Information Officers Council laid the groundwork for this new approach, by issuing network security guidance and sample BYOD policy templates for federal agencies. But this hasn’t necessarily translated to broad BYOD adoption in the public sector. The U.S. Department of Defense, for example, has been chilly toward BYOD for some time.

What Government Organizations Can Learn from Enterprises

 Even though government agencies are reluctant to support BYOD because of the accompanying information security challenges, government workers are pushing for it. Government BYOD is inevitable – IDC predicts that although currently “personal devices make up just 5 percent of the government market, that figure will grow at double-digit rates for the next three years.”

Large enterprises, having already embraced BYOD and dealt with many of its security challenges are further along than the government is at present and provide a great example of how the right technologies can work together. Faced with a need to secure myriad endpoint devices and operating systems, they have started to embrace a defense in depth approach that uses independent network and security methods to fortify critical systems and help prevent breaches.

As part of such a framework, enterprises are implementing centrally managed remote access VPN solutions, which enable network administrators to monitor the remote access infrastructure and communications with the corporate network. Forward-looking government agencies are starting to embrace centrally managed VPNs, and it is an ideal time for other agencies to follow their lead.

With a centrally managed VPN, government network administrators are able to verify that all endpoints accessing the network remotely are compliant with the government office’s policies before being granted permission to connect. And after a breach is spotted, they can limit its impact by revoking network access to affected devices. This helps to limit network exposure to the “potential intrusion vectors” mentioned in the ICS-CERT report.

Government agencies face a broad range of network security threats, but by protecting all their endpoints with the right technologies, instituting a common sense BYOD policy and doing all they can to protect citizens’ information, they’re better equipped to mitigate these attacks and protect their citizens.

In the not-so-distant past, when enterprises lacked ubiquitous high-speed Internet connections and the means to provide employees with remote access, organizations were far more likely to enforce strict working hours than they are today. After all, work wouldn’t get done if employees weren’t present.

Mobile technology has since enabled the growing trend of remote work, allowing employees to work from anywhere at any time. As a result, many employers have become more flexible in their expectations of employees and in their definition of “the workday.”

But, where they shouldn’t be more flexible, and where many are actually falling behind, is in the governing of how employees use personal mobile devices for work purposes and their remote access to the corporate network.

Are Employees Bringing Their Own Security Problems, Too?

Bring-your-own-device (BYOD) is now more of the norm than a new, disruptive trend. According to a new study by Gartner, more than half of the 995 employees it surveyed said they use their personal devices for work purposes for more than an hour each day. For companies, every second that sensitive information is leaving the corporate network, it could be exposed.

In a perfect world, employees would never experience security problems with their personal mobile devices while using them for work purposes, and 100 percent of those few who did would report incidents to the appropriate personnel at their company.

The reality is vastly different.

Gartner found that about one-quarter of users have had a security issue with their personal mobile device at work, and only 27 percent of these victims have reported the incident.

These numbers suggest that organizations still have a long way to go to manage BYOD, and that new approaches and technologies are required to protect business data accessed via employees’ mobile devices.

Central Management to the Rescue

Enterprises are increasingly seeking to implement remote access solutions with central management capabilities to manage VPN configurations, certificates, and network and firewall policies, and prevent sensitive data from being exposed whether unknowingly by employees, or by hackers with malicious intent. With myriad operating systems and devices to support in a BYOD environment, IT administrators are searching for cost-effective solutions for securing remote access to the corporate network while enabling workers to be productive.

With a centrally managed VPN that works on all types of devices an employee might have, IT administrators can ensure that all endpoints connecting to the corporate network are policy compliant and automatically roll out VPN software updates to all employees. Also, if a breach occurs, immediate steps can be taken to revoke access to the network down to the device level. IT staff, then, gain a powerful tool that helps to fill the gap left by unreliable employee self-reporting and keep the corporate network secure.