How channel firms can exploit a silver lining to shadow IoT

A concept visualising IoT security

The Internet of Things (IoT) is changing how businesses across the globe work. When harnessed effectively it can enhance productivity, cut costs, drive new revenue streams, and bring firms closer to customers.

But in the rush to tap into technological leaps, as with many aspects of digital transformation, organisations can leave themselves exposed to security risks. This threat becomes deeper when teams purchase and connect new IoT endpoints to the corporate network without the knowledge of the IT department.

Shadow IT combined with IoT poses a recipe for cyber security disaster, but the channel can help; both by providing expert guidance, and the tools needed for IT leaders to gain greater visibility and control over their smart endpoints.

A new spin on a time-old problem

IoT adoption continues to grow, with research claiming the number of connected devices will explode from 6.3 billion in 2016 to more than 25 billion by 2025. More than half of new devices deployed will be classed as 'business' devices, but it's increasingly difficult to separate 'business' from 'consumer' products in IoT.

Of course, Industrial IoT (IIoT) products are specifically designed to be used by the likes of manufacturers and transport businesses. They can help with everything from monitoring water levels, to running automated factory floor systems and managing vehicle fleets.

But there is also a potentially large number of smart devices running on a corporate network either brought in by employees from home or by managers. Think 'BYOD 2.0'. These can include smart kitchen and home appliances such as kettles, toasters and TVs, or even cameras.

This represents a new spin on the time-old problem of shadow IT: unsanctioned and potentially unsecured devices expanding the corporate attack surface without any oversight from the IT department. It mirrors warnings from a few years ago of business unit managers migrating corporate data into insecure public cloud accounts. Of course, the very nature of shadow IoT means it's impossible to quantify the threat, but that doesn't mean it isn't a major challenge to corporate security.

The scale of IoT threats is rising

Unprotected endpoints represent an increased security threat on several fronts. For instance, they could be compromised to allow "stepping stone" access to corporate networks and enable data-stealing raids. Or they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more. The Mirai attacks of 2016 showed us just how easy it is to do this. IoT endpoints could also theoretically be targeted with sabotage to disrupt business processes and can be compromised to spy on staff.

With Symantec reporting a 600% rise in IoT attacks last year, these threats are far from theoretical. Another survey meanwhile reported organisations suffered on average three attacks on connected devices over the previous 12 months. The same research found a third (33%) of organisations don't know who is responsible for IoT security, while only 38% said they involved security teams in choosing IIoT kit.

The potential impact of a serious incident is well known, spanning financial and reputational damage, as well as large regulatory fines under GDPR, and the NIS Directive which applies to critical infrastructure industries.

The problem with shadow IoT is compounded by the fact that responsibility for these new systems in is blurred, sitting at an intersection of IT and OT (operational technology), falling occasionally between the two completely. Worse still, if OT managers are left in charge of IoT, their approach to security will be different from their IT counterparts - which can lead to reluctance to take systems offline to apply vital patches.

The silver lining for channel firms

The plus side is that this offers channel players a great opportunity to step into the role of trusted advisors. A skills gap in customer-facing organisations can not only lead to shadow IoT but poor security practice. This might include lack of a regular patch update mechanism, default passwords running on products, no network segmentation, and so on.

Channel partners can be on hand to offer vital advice that improves an organisation's basic cybersecurity hygiene in this area, also offering services like pen testing to identify security issues in smart endpoints. They can even help illuminate the darkest shadows of corporate IT to find any devices on the network that shouldn't be there.

Once organisations have got visibility and are following basic best practices there's an additional opportunity to sell a layered security message to keep IoT systems protected from advanced threats. Elements including IPS, firewalls, identity and access management and many more should be on the radar for channel resellers. We don't claim to hold all the answers but there's certainly an opportunity to add value and forge closer ties with your customers as the race for digital transformation intensifies.

David Ellis is VP for security and mobility solutions for Europe at Tech Data

Latest in Internet of Things
Shawn Zhao, President of the Campus Network Domain, Huawei's Data Communication Product Line, speaking at MWC 2025
How Huawei’s Xinghe Intelligent Campus solution accelerates intelligent transformation for businesses
The Huawei logo and a sign reading Accelerating the Intelligent World hanging from the ceiling at MWC 2025
From smart hotels to smart factories, Huawei is accelerating intelligent transformation
IoT security concept image showing network symbols on a blue background.
New industry-backed IoT security standards aim to improve device safety
An offshore wind farm, with data points in place of waves to represent Industrial Internet of Things (IIoT).
What is the Industrial Internet of Things (IIoT)?
The Clyde Arc taken at sunrise on the Clyde River in Glasgow, Scotland
Glasgow eyes goal of becoming Europe’s leading IoT city with launch of new innovation hub
Solar power transmitted from a satellite orbiting earth
Scottish satellite firm wins major IoT network contract
Latest in Feature
Matt Clifford speaking at Treasury Connect conference in 2023
Who is Matt Clifford?
Open source vulnerabilities concept image showing HTML code on a computer screen.
Open source risks threaten all business users – it’s clear we must get a better understanding of open source software
An abstract CGI image of a large green cuboid being broken in half with yellow, orange, and red cubes to represent ransomware resilience and data encryption.
Building ransomware resilience to avoid paying out
The words "How effective are AI agents?" set against a dark blue background bearing the silhouettes of flowchart rectangles and diamonds to represent the computation and decisions made by AI agents. The words "AI agents" are yellow, while the others are white. The ITPro Podcast logo is in the bottom right-hand corner.
How effective are AI agents?
An illustration showing a mouth with speech bubbles and question marks and a stylized robot alien representing an AI assistant chirping away with symbols and ticks, to represent user annoyance with AI assistants.
On-device AI assistants are meant to be helpful – why do I find them so annoying?
A range of HP devices set on pedestals on the keynote stage at HP Amplify 2025 in Nashville, with a large screen in the background bearing the HP logo against a white background. The devices include AI PCs, laptops, and printers.
HP hones its edge AI ambitions at Amplify 2025