For many years now, enterprise networks have seen a steady stream of new devices that are outside of IT department control. The mobility trend has given way to the rise of the IoT and the result is a lot of unmanageable endpoints that represent a clear security risk. Smart lighting, printers, Bluetooth keyboards, smart TVs, video cameras, switches and routers are all connected devices that often lack any built-in security.This security blind spot is ripe for exploitation by cybercriminals probing your network for weaknesses. Despite 97 percent of risk professionals admitting that a data breach or cyber-attack caused by unsecure IoT devices could be catastrophic for their organization, according to a survey by the Ponemon Institute and Shared Assessments, just 15 percent have an inventory of most of their IoT and only 46 percent have a policy in place to disable devices that pose a risk.Many organizations are sleepwalking toward disaster, but adopting the right strategies can help you secure all these unmanaged devices and dramatically reduce the risk of a costly data breach.Shop around for secure devicesTake the time to seek out devices that offer security out of the box and, perhaps more importantly, avoid devices with serious issues that will be tough to guard against.\u201cPeer-to-peer is notoriously difficult to secure,\u201d says Jack Marsal, Senior Director of Product Marketing at Armis. \u201cResearch has repeatedly shown that devices can be reachable, even through a firewall, remotely over the internet because they are configured to continuously find ways to connect to a global shared network so that people can access them remotely.\u201dAssessing possible IoT tools to uncover potential risks and avoiding P2P capabilities is important as a foundation. You should also investigate the firmware update policy with a preference for regular automated updates.Don\u2019t rely on default configurationsConfiguration issues are a major cause of data breaches. Failure to update from default configurations which are widely known can hand cybercriminals an easy route onto your network. It may be as simple as entering the default admin login for them to access your security cameras. Passwords and credentials must be updated but watch out for undocumented backdoor accounts.Misconfiguration is another big problem. People often leave unneeded features switched on, like universal plug and play (UPnP) or inadvertently open ports that can serve as access points for attackers.Segment your networkMake sure that there\u2019s a firewall between every device and the internet beyond. Consider sorting unmanaged devices onto their own network segments, separate from your corporate devices and guest network. Many attackers find a point of entry then move laterally to exfiltrate data or cause damage. Just be aware that network segmentation can be bypassed through the exploitation of things like Bluetooth. It\u2019s not an impassable security feature, but it\u2019s still worth doing.Encrypt everything all the timeIf you encrypt your data at rest and in transit, then, even if attackers steal it, they won\u2019t be able to read it without the decryption key. Make sure access is properly restricted and users and devices are authenticated. It\u2019s also smart to set up an audit trail for data access and to verify that data hasn\u2019t been tampered with at the point of access.Keep a real-time inventoryDelve into any set of best practices like NIST\u2019s Cybersecurity Framework and you\u2019ll find that identifying all the devices on your network is foundational to security. It\u2019s not enough just to scan your network for physically connected devices, you also need to consider devices that connect via Wi-Fi and Bluetooth. What\u2019s required is a real-time picture of every device on your network.Proactively assess riskIt\u2019s vital to perform risk assessments on unmanaged devices. Are there any known vulnerabilities? Can you identify configuration issues? This might prove difficult in cases where you can\u2019t put an agent on the device, so think about how to create an automated, proactive risk assessment program or go shopping for a suitable software tool to do it for you.Continuously monitor for threatsSince many of these unmanaged devices are harder to scan than traditional computers connected to your network, it\u2019s vital to find a way to monitor their behaviour and look for anything suspicious. It makes sense to build a model of expected behaviour and ensure that anomalies are automatically flagged for further investigation. In the future machine learning may play a crucial role here in uncovering unusual behaviour or traffic connected to a threat.Automate threat responseOnce an attacker breaches your network, they can often burrow in further quite quickly. Even if the entry point is subsequently discovered it can prove very difficult to expel them fully. Speed is crucial, so it makes sense to pursue a strategy of security automation. When your system detects a threat, it can quarantine the device in question or block traffic.\u201cThe real hard part of this is ensuring that your security automation is not going to cause more harm than good,\u201d suggests Marsal. \u201cBecause if a false positive occurs say in a hospital environment, you might not want to shut down the patient monitoring equipment if it seems to be behaving abnormally.\u201dIn some circumstances your system should simply flag the threat and alert a security professional who can investigate further and decide upon the right action.With some forethought, sensible planning and vigilance, you can mitigate the threat of unmanaged devices.Disclosure: Armis is a technology partner of Towerwall.