By Cara Sloman
When most people hear “Internet of Things,” they think of consumer-facing items like connected fitness devices, self-driving cars and smart refrigerators. The truth is that the business sector is where the IoT began. Before anyone was setting their home thermostat remotely, organizations were using connected sensors and other devices to track data and monitor systems. They have been using this data to make better business decisions, streamline processes and create greater efficiency.
As more and more devices have become connected, though, hackers and other malicious actors
have focused their efforts on exploiting IoT devices – and enterprises are not exempt from becoming victims. Businesses might not think about the cybersecurity settings of their photocopiers, yet 2016’s Mirai malware used hundreds of thousands of IoT devices to create a botnet that took down popular proxy server Dyn, and with it, nearly one third of websites globally.
Once an exploit is successful, history has shown that many more are sure to follow. The world’s hyper-connectivity creates boundless opportunities, and hackers are looking to profit – or to make a statement. The rapid and wide-scale adoption of connected sensors and IoT devices in manufacturing, healthcare, transportation and utility settings means that a broad swath of the global economy’s critical infrastructure is increasingly vulnerable to these attacks.
Of course, events like these give organizations pause, and that is right – to a point. Security issues can cause enterprises to wonder whether the IoT is worth it. In fact, in a recent Ponemon Institute research report on mobile IoT application security, 75 percent of respondents said the use of IoT apps significantly or very significantly increases security risk.
However, just as time and tide wait for no one, neither do the IoT and its tremendous potential to provide competitive advantage via innovative solutions derived from data analytics. Choosing and deploying secure IoT solutions provides valuable new business insights and efficiencies while protecting your data and infrastructure assets. Holding off too long could be fatal.
The Risk is Real
It is important to understand the level of security that manufacturers have built into their IoT products before purchasing them. While it is (relatively) easy to design and ship an IP camera, for instance, the ease with which one can be hacked from factory settings makes installing one an unacceptable risk factor to the network – and your enterprise.
Because the IoT security issue is so far-reaching and potentially devastating, regulators are starting to take action to encourage best practices. In January 2017, the Federal Trade Commission (FTC) filed a complaint against router giant D-Link, charging that the company had deceived users on the security of its products and failed to take steps to secure those products appropriately. This case has become a bellwether because the complaint was brought in response to the vulnerabilities themselves, not because of a breach exploiting those vulnerabilities. This is a sign that regulators are taking a more aggressive stance in demanding that connected device manufacturers take clear and sufficient steps in securing their products.
A More Secure IoT Posture
Here are initial steps to integrate into an overall IoT security strategy:
- Assess open source wisely: Though many organizations choose open source IoT software because it is an easy, cheap and flexible option, security flaws can be exploited rapidly, and patches are often slow in coming. IT teams therefore should be aware of the risks in using technologies that are based on open source code.
- Clarify to create a strong IoT bench: A job ad asking for an IoT professional may attract 10 people with 10 different backgrounds. Think about what your company does with connected devices and the specific skills it needs to manage and deploy those applications, systems and devices securely. Looking for and training people with IoT certifications is a way to ensure a strong bench of those skills.
- Insist on unique credentials: Plugging in connected devices with factory settings is a security disaster waiting to happen. Require that each device have a unique password from the manufacturer, printed on a sticker that’s included on the device itself. This significantly reduces the chances of compromise.
- Options besides Wi-Fi: Although Wi-Fi is a viable resource, other options exist. For wide-scale installations in specialized vertical network environments, like manufacturing or healthcare, consider using one of the many specialized communications protocols that are available to your engineers. Do all functions need to be performed on the device, or can some be punted back to the network? Minimizing the need for the device to perform all functions and be connected to all traffic all the time can also reduce its threat exposure.
A Comprehensive Approach
Seemingly endless possibilities spring from the advent of the IoT – both for legitimate and illegitimate purposes. Just as cybercriminals stop at nothing to take what they want, enterprises must match that determination to protect their data and that of their customers. A comprehensive cybersecurity strategy that takes every element and variable into account is needed in today’s treacherous online environment. Organizations that don’t carefully attend to IoT security are likely to face not only loss of customers and reputation but regulatory sanctions as well. Use the recommendations above to build a strong cybersecurity strategy so that you can benefit from the IoT while avoiding its security pitfalls.
Cara Sloman is the executive vice president of Nadel Phelan, Inc.