IoT Security Flaws Are Putting Your Business at Risk
By Lilla Ross
As industries invest in the next generation of technology, the internet of things is at the top of the list. Once a novelty best known in residential settings, IoT technology has become mainstream in business and industry. Some even predict that having a Google Home or Amazon Echo in the conference room will become the norm.
Now, you will find connected devices in Amazon’s warehouse robotics system Kiva, Airbus’ Factory of the Future and the augmented reality used by Caterpillar in its Cat Connect system. The number of IoT devices in use by 2025 could reach 22 billion, according to an IoT Analytics report. They will transform manufacturing, warehouse and logistics, health care, agriculture, shipping, energy and aviation. But cybercriminals are innovating, too, devising new viruses and strategies for ransomware attacks.
IoT Devices in the workplace
IoT security can’t be done as an afterthought; it must be integrated into operations from Day One because connected devices and systems use cryptographic keys that transmit data. Cybercriminals can gain access through these keys, allowing them to infect devices and systems with malware, steal data or shut down systems. Sometimes, the vulnerability has gone undetected for months. About half of all devices connected to business networks are consumer devices — smartphones, smartwatches, fitness trackers, laptops and tablets, reports cybersecurity firm Zscaler. Many of these devices have little or no cyberprotection, and are used in both personal and business settings.
Zscaler’s own software went from blocking 2,000 hacking attempts a month to 14,000. “What this tells us is that employees inside the office might be checking their nanny cam over the corporate network. Or using their Apple Watch to look at email,” Zscaler said. “Or working from home, connected to the enterprise network, and periodically checking the home security system.” A cyberattack can be started by innocently opening a phishing email or plugging a device into a public charging station, like those found at airports, and infecting a device with malware.
The introduction of 5G will only make cybersecurity more complicated.
Organizations may shift to a practice of letting employees use public Wi-Fi as 5G is launched around the country and cellular networks overtake fixed ones. Currently, 48% of companies ban the use of public Wi-Fi, but 80% say mobile will be their primary means of accessing cloud services within five years, according to a Verizon report. Verizon’s 2020 Mobile Security report found that 59% of companies using mobile devices experienced downtime from an attack and 58% reported losing data. Not only can that snarl operations, it can damage a brand’s reputation. A recent report from Deloitte finds that many businesses and industries are not prepared to protect IoT devices. The report lists 10 security risks commonly found in IoT environments:
- Not having a security and privacy program.
- Lack of ownership/governance to drive security and privacy.
- Security not being incorporated into the design of products and ecosystems.
- Insufficient security awareness and training for engineers and architects.
- Lack of IoT/IIoT and product security and privacy resources.
- Insufficient monitoring of devices and systems to detect security events.
- Lack of post-market/ implementation security and privacy risk management.
- Lack of visibility of products or not having a full product inventory.
- Identifying and treating risks of fielded and legacy products.
- Inexperienced/immature incident-response processes.
At the recent RSA Conference in San Francisco, Deral Heiland, an IoT researcher at Rapid7, said some businesses don’t realize that their technology is considered part of the internet of things. He defines IoT as devices used for:
- Embedded technology.
- Capability to be moved to the cloud.
- Management control — to control and manipulate data.
- Cloud service APIs and storage.
Building security into the design is the most cost-effective strategy, especially when considering the high price of recovering from a data breach. Among the things businesses and industries should consider before acquiring a connected device or system is whether the manufacturer has a product security testing program in place, Heiland said. Third-party vendors need to be asked about their cybersecurity protocols and establish responsibility for detection of cybersecurity threats as well as response and recovery. Every organization needs to be proactive when it comes to setting up a cyberdefense and changes in the workforce, and internet connectivity can make that challenging. The first place for any organization to start is with the best practices in place for its own industry. These are available through regulatory bodies, plus trade and peer groups. They can be customized for each organization’s needs.
The Deloitte study found that 28% of industries use a predefined standard, 41% use a customized standard and 30% use no standard at all. But with 48% of respondents saying they are integrating connected devices and products into their organization, it is critical that standards be established and followed. An IoT security strategy begins with a thorough inventory of all devices, including its physical location, how it is connected, who uses it and known vulnerabilities, says Charaka Goonatilake, chief technology officer for Panaseer. Software needs to be updated regularly and vulnerabilities patched. Passwords need to be changed often and email addresses associated with the device should be limited. And employees need to be educated about the safe use of devices and how to detect cyberattack threats.
If you enjoyed this deep dive into IoT Security, you can subscribe to our daily cybersecurity news briefing for more informative content. For even more quality news coverage, you can subscribe to any of SmartBrief’s 275+ free newsletters.