A hack or data breach can result in cost for your business, whether they’re incurred by fines, lost resource, or bad PR. As businesses expand their use of the internet, and introduce more touchpoints on their networks, the potential risk of a hack grows. But with the right approach to security, your business can still enjoy the benefits of IoT while mitigating the risks.
Barely a day goes by without a hack or data breach being reported in the media, which is one of the reasons why cybersecurity is such a key topic being discussed at Internet of Things World. Alarmingly, many of these hacks are carried out using basic, unsophisticated hacking techniques.
But let’s not be complacent. According to HaveIBeenPwned, a website that tracks known data breaches, the number of breached accounts now exceeds seven billion. But there are probably millions more out there still undiscovered, lurking on the dark web or languishing on poorly secured servers on the web. And yet more are still being planned.
Keeping a tight grip on network security is challenging. With every touchpoint added comes another potential gateway to the network. How can businesses leverage the considerable benefits of IoT, without leaving themselves wide open to attack at every turn?
1. Detect the risk and the benefits
The beauty of IoT is the ability to monitor a system using sensors that are essentially self-contained. Because each sensor or device has its own software, it can function independently of the rest of the network. But that means each one is essentially a ‘hackable’ device in its own right, at least in theory.
The actionable data provided by IoT sensors provides unparalleled insight; information that can be used to tune and tweak for optimum efficiency. And with all this data, in near-real-time, you can report more accurately and see ‘under the hood’. The key point is that nobody else should have the same access that you do. They might not care about the data you’re collecting, but they may be very keen to use that entry point as a gateway to other systems.
Security in the digital age is all about finding a balance between convenience and risk. Consider the simple password containing a dictionary word and compare it to a random string that is impossible for a human to commit to memory. A single word password, while being easy to manage, leaves a business open to an unsophisticated brute force attack. It is convenient, but the risk is too great. In the same way, we need to consider ways to retain the convenience of IoT, but we need to also avoid compromising the security of business systems along the way.
2. Managing Touchpoints
The less detectable a hack is, the more likely it is that it will survive. And as hackers look for ways to monetize their work, they are becoming more creative. In some ways, they are playing a longer game.
Consider the cryptocurrency scripts subtly injected into MicroTik router administration screens in 2018; users were blissfully aware that their home networks were part of a huge coin mining operation. With so little drain on each individual device, it was almost impossible to detect the problem. This is one risk of a widespread hack.
Similarly, the use of devices that have pre-set default passwords is a problem as we add more and more devices to the networks we manage. It’s no surprise that the state of California has clamped down on poorly secured devices, and they give us clues as to our own security regimen.
Securing IoT devices therefore demands a predictable approach:
- Methodical checks for unusual network activity, backed up by automatic monitoring and alerts.
- Secure passwords that are difficult to share and impossible to memorize, with good quality password management software to ease the burden on your IT staff.
- Scheduled checks for firmware updates and software patches, without relying on devices to ‘do their own housekeeping’.
- Checks on the methods used to encrypt data at rest and in transit, but, crucially, on the location and holder of encryption keys.
- Culture change; IoT must be a security concern, rather than a separate ‘set and forget’ system.
- User training so that all staff who use the devices understand why simple password hygiene and software updates are important, and why any devices deployed on the network must be appropriately logged and secured.
These are not new suggestions. Anyone who’s spent any time speaking with their IT service desk will recognize the themes instantly. But they endure in the age of IoT, just as they have served us well so far. Overall, a methodical approach is the best way to prevent IoT devices from being risky touchpoints on the open web.
3. Prevent, Don’t Cure
Hacking is often more mundane, subtler, and more low-key than we expect. And a hack may not uncover sensitive information about your business. No offence, but here’s the rub: there may not be much value in the data you hold.
But a hack could result in the planting of malicious software that wreaks havoc, costs you money in bitcoin ransom payments, or leads to GDPR breaches and other potentially expensive outcomes. Equally, hackers could simply be looking for those old favorites: email addresses, credit card numbers, and opportunities to spam.
Even the smallest business routinely deals with privileged third-party data, and it’s this position as a ‘gateway’ to a better-secured client that the hacker could find appealing. With the right approach to IoT security, you can prevent your business from being the target that cyber criminals are looking to exploit.
About the author
Zach Butler is the Portfolio Director of IoT World with a deep understanding of all things disruptive technology. Zach’s experience revolves around how ecosystems developing IoT, artificial intelligence (AI), augmented reality (AR), virtual reality (VR) and blockchain are disrupting enterprise markets by enabling digital transformation.