Protect your business from IoT security risks
Pubished 22nd November 2017
There is no doubt that the Internet of Things (IoT) can be of huge importance to enterprises, to increase productivity and efficiencies across a business.
However, businesses also need to realise the risk which comes with these devices. It is stated there will be an estimated 20 billion connected devices by 2020, with many of these technologies leveraging the cloud and containing masses of confidential data, competitive intelligence and intellectual property traversing the on-site as well as off-site IT ecosystem. Two-thirds of enterprises are expected to experience IoT security breaches by 2018. By 2020, more than 25 percent of attacks could also be IoT-related. However, IoT security accounts for only 10 percent of IT security budgets.
Cybersecurity can therefore not be overestimated as the IoT is critical to businesses of today. Cybersecurity strategists will need to adapt to accommodate the ever-changing landscape of connected devices and the entirely new risk this could create.
With new IoT innovations emerging at a rapid rate, traditional cybersecurity frameworks in many cases are inadequate for the enterprise it is trying to protect. As IoT numbers increase as well as the complexity and advancement in tech, the legacy hardware, software and processes are unable to keep up, thus increasing the risk factor of IoT within businesses.
New business trends such as ‘Bring Your Own Device’ (BYOD) do not help the cause. Consider the already vast amount of sensors and internet-enabled devices operating and collecting data, from TV’s and appliances, to cameras, printers, scanners and more. All of these could be hacked, allowing hackers to steal confidential data. Personal mobile phones and tablets as well as other devices being brought into work only increases this risk.
For enterprises to begin the ‘fightback’, it is important they first understand the level of complexity presented by each IoT, based on three criteria: devices, ecosystems and use cases.
These devices typically produce no data, simply capturing information shared via WIFI. This includes heat or light sensors or popular fitness watches. Although quite simple, they still gather lots of specific data which should be monitored by the enterprise.
Devices which are ‘embedded’ and which contain sensors are considered moderate. This includes anything from lighting and heating systems to sliding doors. These specific units contain onboard controls which monitor and control activity whilst also producing data. These devices can prove extremely dangerous if unsecured. For example, the heat is turned off in a hospital or lighting turned off on public transport.
Smartphones which possess sophisticated operating systems and various application capabilities are considered highly complex. Unfortunately, it is also easier for hackers to attach malware to these devices by detaching its operating system and access sensitive data.
How to manage the risk from IoT within your enterprise
A vulnerability programme is key for securing smart devices which are of high complexity and high risk. These programmes help identify and fix weaknesses over time, be it an old operating system or security software. In larger enterprises, it is much harder to manage the number of weaknesses there may be, therefore programmes like this will help manage this. This shouldn’t be a one-off audit of your devices. Consistent and ongoing checks need to occur to maintain a high level of security across all IoT devices for the duration of their lifecycle.
Asset management is another key step enterprises must take to secure themselves against attacks. Enterprises have a much better chance of securing themselves if they know exactly what they are working with. IoT entering the building without anyone’s knowledge can be dangerous. If all assets are accounted from, business or personal and categorised by complexity, enterprises can manage their risk much more effectively. If an enterprise sees no clear advantage to an IoT, then it should ask itself why it is even here as it adds nothing but risk.
The final way to decrease the risk of attacks comes as an obvious way to many but surprising in execution, and this is to create complex passwords. A study by HP stated that 70% of devices did not encrypt communications to the internet and local network and 80% failed to require passwords of sufficient length and complexity.
A holistic approach must also be taken to protect enterprises from the growing threat. An IoT device cannot be isolated. It is part of an ecosystem that may be powering processing data and analytic applications or even the cloud. These various intermediaries can be very complex. For example, a single ecosystem could be a business with smart heaters, smart TV’s, printers and audio-visuals which sends data back to a server which is owned externally by a third-party maintenance company or device manufacturer. Hackers could exploit the external companies to gain access to the enterprise. This scenario can become even more complicated when enterprises outsource a variety of facilities, as this gives multiple third-party channel opportunities for hackers to penetrate an enterprise. There are however a couple of ways in which enterprises can secure their ecosystem against potential hackers.
One quicker way of reducing hack threat levels is by using network segmentation to limit access given. IT can separate risky devices which are connected to the main network, into smaller segmented networks which have additional monitoring and restricted access. This is common in many enterprises already, for example, guests may log into a separate WIFI than employees. Segmenting network enterprises effectively isolate certain risks to parts of IT infrastructures.
Another way of reducing risk is through thorough screenings of external or third-party suppliers and contracts. Some enterprises have screened potential suppliers, only opting to go ahead with those who demonstrate a good understanding of cybersecurity. Contracts will also ensure suppliers and providers are legally bound to protect enterprise confidentiality.
With an estimated 20.4 billion connected things in use worldwide by 2020. The number of IoT devices used by enterprises will more than triple to 7.5 billion. This gives hackers more than triple the amount of devices to access any given enterprise. It is therefore paramount for enterprises to begin to think about their IoT security now before it is too late.