November 5, 2019
As the world gets more connected, cybersecurity will be one of the key areas for concern. According to a report by Gartner, the number of endpoints an average CIO manages will triple by 2023. For things to run smoothly, CIOs now have to consider a much wider range of aspects because of the growing array of IoT networks and their sensor devices.
According to an Aruba Networks study, a staggering 84% of companies that have adopted IoT solutions experienced a data breach related to the internet of things. Because of the frequent security breaches, companies are having a hard time embracing IoT in a more comprehensive manner. When planning their IoT investments, organizations must embrace a holistic strategy built on policy management and strict network access control.
IoT Security Issues
Autonomous future is just around the corner and it comes with a host of security issues. The web of connected things across CAGS (cyberspace, aquaspace, geospace and space) is growing at an unprecedented rate. IoT is spreading like wildfire, connecting everyone and everything and at the same time opening doors to a myriad of new security vulnerabilities.
Hackers can now exploit connected devices such as digital locks, smart meters, refrigerators and countless others. Therefore, both companies and individuals are in a far greater risk of having their data compromised.
Lower Production Costs at the Expense of Security
Hyperproduction has become somewhat of a norm in almost any given industry. But this is problematic because the speed of production has increased so much that we don’t have the time for proper quality control. A big problem concerning IoT devices is they are equipped with tiny processors for embedded functions. These components are cheaper but they come with a huge drawback. It is much easier to hack these devices because they do not have the memory or computing power to integrate modern security solutions.
Another big problem is the fact that these devices cannot be easily updated with new information about emerging security threats. Integration and interoperability are also getting complex due to absence of international regulatory standards. Furthermore, the low cost of the devices increases production rates and makes them impossible to keep track of. What is worse, advances in quantum computing are making IoT security even more complicated. While taking all of this into account, let’s see what companies can do to improve IoT security.
Use an ISMS to Mitigate the Risk
ISMS stands for information security management system and it can be determined with the internationally-recognized information security standard ISO 27001. The standard describes how to setup an ISMS to serve as a systematic approach for protecting and managing a company’s data. The ISMS therefore is a collection of procedures, policies and various controls that determine the information security rules within an organization.
With a great number of IoT devices and especially in large organizations, security becomes a daunting challenge. Producing safeguards for every single risk associated with the IoT becomes next to impossible if not managed systematically. Setting an ISMS according to ISO 27001 dictates a process approach to information security, meaning that security is procedurally implemented at every single important point. Consequently, by determining security controls in congruence with those responsible for implementing them, you will be able to manage a complex system.
Dealing with the Problem of Shadow IoT
Have you ever heard of shadow IoT? It is a relatively new term which refers to the devices employees bring to the business environment without the knowledge of IT or security departments. It is essential to recognize the dangers associated with shadow IoT as it poses a serious threat to enterprise networks. For example, the lack of employee security awareness lets hackers installed malware to create a botnet for DDoS attacks. This is exactly why security awareness and education are extremely important.
However, security awareness should go beyond your organizations as hackers are also prone to executing vendor-based attacks. This means that you have to ensure you are getting your devices from a trusted vendor. When it comes to shadow IoT, the number of devices is growing by the day. Fitness activity trackers, digital assistants, smartwatches, smartphones and medical devices are the ones you need to pay special attention to.
Creating a bring your own device or BYOD policy can substantially reduce the information security risks associated with shadow IoT. Remember, always be prepared. The best thing to do would be to have a data breach strategy in place as well as to perform simulated breach scenarios.
Basic Tips for Securing the IoT
- Don’t connect devices directly to the internet. If you put your IoT devices in front of a firewall, you are in danger of getting hacked since most of these devices were not built with security in mind. Focus on keeping your IoT devices behind the firewall.
- Change the default credentials. Create a complex password only you have access to. If you lose your password, you can easily reset the device as most of them come with a reset switch. Doing something simple such as creating a strong password can make or break your business so be serious about it. Unfortunately, some of these devices are poorly built and have undocumented backdoors hackers can utilize, so don’t forget the firewall.
- Remember to update the firmware. Vendors often provide security updates for their devices, so don’t forget to update the firmware prior to using the device. Furthermore, check the vendor’s website periodically for firmware updates.
- Check the defaults. Always check the default settings of the device. For example, features like “Universal Plug and Play” can poke holes in your firewall and open doors to hackers. Also, check if there are any exposed ports on your network by using Shield’s Up. Additionally, consider upgrading your antivirus software to network or internet security level to ensure enhanced protection.
- Avoid devices with Peer-to-Peer capabilities. P2P IoT devices are extremely difficult to secure. They are configured to continuously search for available shared networks to connect to, so that anyone can access them remotely. Guess who can access them too?
- Think about the cost. IoT devices are not something you would want to save money on, because cheaper devices cost more in the long run. To be fully protected, don’t sacrifice quality for a cheaper device. It will end up costing you much more than the initial investment.
Evidently, we are living in an age where the world is getting more connected by the day. Our personal and business data is becoming more exposed with hackers finding new ways of getting a hold of it. The world of smart, connected devices brings a revolution in the ways we interact with our environment, but we must not let the technology get out of hand. That’s why each and every one of us is responsible for “beta testing” the rising tech. Luckily, there are ways to protect your company from IoT-related attacks.
First, you must learn as much as you can about the security issues involved with the internet of things. Remember that cheap devices will end up costing you much more in the long run. Secure your hardware and processes using an ISMS. The process-based approach is the most effective in dealing with any threat. Control which devices your employees bring to the organization and banish the shadow IoT. These tips are just the beginning, but any serious strategy requires a lot of preparation, so focus on fortifying your defenses early on.
Neb Ciric is a partnerships manager and writer with Advisera, a market leader in helping businesses implement ISO, ITIL, IATF, AS, and OHSAS standards. Neb has several years of experience in web content creation and currently writes about security, quality management, and compliance.