The Internet of Things (IoT) has moved from a marketing buzzword to a household term. And while IoT generates more headlines as a consumer issue, it’s a topic that businesses need to pay attention to as well. According to a 2016 study released by Gartner, more than half of major new business processes and systems will include an IoT component by 2020.
Unfortunately, the rapid spread of IoT brings a proliferation of security risks. In my second installment of cybersecurity facts versus fiction, let’s explore three related to IoT security in the workplace.
Fact or Fiction? The Internet of Things provides more attack vectors than ever before.
Fact: The rate in which the Internet of Things increases attack vectors is much higher than anything we’ve seen previously.
Solving the Problem: The challenge for organizations is multi-faceted.
If your company has some stake in the IoT market, services must be integrated mindfully into IoT devices. Make sure you are prepared for integration from a security perspective. A poorly designed device can lead to fallout in a number of ways, such as a potentially fatal loss of consumer trust like what happened with Petnet.
For IoT devices connected to your organization’s internal network, the responsibility lies with your IT team. Ensure they are following best security practices. Network segmentation will become an invaluable ally in ensuring IoT devices (common offenders include routers, alarm systems and Nests) don’t wreak havoc with more traditional connected devices (such as mobile phones, printers and laptops).
You may also want to institute a policy with your employees stating that they need to seek some sort of permission before connecting any unauthorized IoT device (such as a Fitbit) to your business network.
Fact or Fiction? Spying on employees or cyberstalking is a major risk from IoT.
Fiction: While it’s evolving very fast, the Internet of Things is still in its infancy stage. Could someone hack your smart security system to break into your corporate office? Yes, it is plausible, but not likely at this point. Widespread surveillance may eventually become a more common problem (a taste of which we’ve seen with recent news regarding smart speakers), but right now the real risks to watch out for are hacked devices being used for other nefarious purposes, i.e. as part of a botnet or being leveraged by criminals to hide their true origins.
Solving the Problem: Concentrate on the much more realistic threat posed by botnets and the like. Last year, the internet came to a standstill thanks to the Mirai botnet. The cause of this botnet? Countless unprotected IoT devices. And these botnets will become only more common as the IoT explosion continues (some reports claim it will blow up by 200 percent in the next five years).
Botnets are gainful entities, as attackers profit from causing the denial of services to large numbers of hosts. And those affected will typically pay out to ensure no further loss of business as usual.
How do you avoid (inadvertently) joining a botnet? Again, security hygiene plays a role. One critical but overlooked IoT security best practice is changing default credentials. It can’t be emphasized how critical this is, as all devices come with these credentials. Once an attacker has one default password, they have them all.
As mentioned previously, network segmentation is another key to defending against Io IoT attacks. Other controls like firewalls and network traffic monitoring should also be standard practice.
Fact or Fiction? Security needs to be part of the product lifecycle when designing an IoT device.
Fact: Security can no longer afford to take a backseat when creating a connected device. Unfortunately, in the interest of taking these devices swiftly to market, security is frequently just an afterthought that follows the implementation of required features. This creates challenges not only for the companies that are developing these products, but for the organizations that purchase these products to use in their business operations.
Solving the Problem: This is a problem that should solve itself by market need. Realistically though, this will not happen since usability and convenience always seem to override security concerns. In the European Union (EU), they are developing new IoT security rules, and the U.S. should follow the EU’s lead and take a legislative approach to these problems as well. But before that happens, expect the problem to get worse, not better.
In the meantime, the best approach is a mixture of vigilance and due diligence. Before you (or your team) purchase any IoT device for your business, research it thoroughly. Is it associated with any known vulnerabilities? Does it have any history of insecurity? Although sometimes a device might be appealing from a financial standpoint, it may do more harm than good in the long term.
Once you take any previously unconnected device and join it to the internet, the moment someone detects a vulnerability in it, this device no longer belongs to you. Install updates on your devices as soon as you see them, research products before you purchase and deploy them in your organization and ensure you are doing everything you can to mitigate potential IoT risk through all the supporting controls available.
Learn more about how you can help build accountability and help secure IoT from Level 3 Chief Security Officer, Dale Drew.