By Jon Lucas, Co-Director of Hyve Managed Hosting
From remotely turning on the heating to streaming content over the web to televisions, IoT devices are popular in the home, as they drive automation and smart services. So, it’s not too surprising that IoT devices are also starting to show up more and more in business environments, whether as part of IT-driven projects, or brought in under the radar of the IT team, to support business-driven projects.
Marketing teams are now running in-store advertising on digital signage, logistics teams are using IoT to track vehicles and deliveries and monitor temperatures in our data centres. We’re finding new applications of IoT daily to create new ways of doing business or to streamline operations.
Over all the noise, it is often forgotten that IoT is not yet a mature technology. Its security is not as hardened, well-developed, or easy to manage as the infrastructure of other, more established, parts of a business.
This vulnerability is evident in the growing use of botnets of hacked IoT devices to launch Distributed Denial of Service attacks against high profile organisations. In 2016 the Mirai botnet, built from compromised IoT devices like security cameras and home routers, took down much of the Internet for East Coast America. These attacks have grown in both size and sophistication since then according to security company Neustar.
It is more of a frustration than a mission critical security risk to have compromised IoT devices acting in a botnet. However, we’re beginning to see hackers using poorly secured IoT devices as a gateway into corporate networks. Microsoft’s research team found evidence that a Russian hacking group – Strontium – had been using office printers and voice over IP phones as a backdoor into target organisations.
The threat is serious enough for the UK government to feel the need to create new basic security standards for IoT devices. With this in mind, here are five steps to achieving a successful security strategy in an IoT landscape.
1: Prepare, prepare, prepare
Although many IoT devices come with default passwords and settings, it is within a business’s best interest to ensure they update these preemptively, rather than in reaction to an attack. Foresight like this should help prevent malware users taking over a device as its administrator.
Following the classic set of rules for creating a strong password should do the trick: make sure there is a combination of lowercase and uppercase characters, numbers and symbols. You can also use password generators to create strong passwords. Not including words that make logical sense will also heighten the security of passwords.
2: Stay one step ahead
The default passwords and built-in security settings that many IoT devices come with should not be relied on for security purposes. These are generally far less secure compared with third party security software. Investing in some extra security features will help protect IoT devices. For example, installing a VPN onto a device will make it harder for hackers to target appliances, as it will hide its true IP address and secure data that is being transmitted.
3: Keep things refreshed
A vast majority of attacks on IoT devices are caused by networks known as ‘botnets’. A botnet is a group of devices, connected via the internet, that have been infected with malware. They can then be brought under the control of a malicious actor to deliver DDoS attacks or send spam. The key problem here is that the malware required to create a botnet has varying levels of visibility. More often than not it runs silently in the background.
In order to remove any malware that may be infecting a device, businesses should frequently restore IoT devices’ firmware to a known secure state after a certain timeframe. That way, organisations can be safe in the knowledge their devices are threat free.
4: Pay attention to device updates
One of the most important steps to take in keeping IoT devices secure is to carry out the software updates that manufacturers regularly send out. Although they may feel long and tedious, they will mitigate against newly discovered security issues, as well as heighten protection for the future. Businesses that fail to do this risk their devices becoming discoverable and exploitable by hackers, who can then turn them into bots, so it is best to stay one step ahead.
5: Confirm you have the best expertise
Decision-makers in organisations must analyse their current cybersecurity strategy to ensure the business has the right skills in-house in order to secure an IT infrastructure that includes IoT devices. Finding the right people can be hard – unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20% from 1.5 million in 2015, according to the Center for Cyber Safety and Education.
Many SMBs (Small to Medium Businesses) and larger organisations outsource their security processes to managed service providers (MSPs), where they can take advantage of a bigger pool of security tools and expertise.
The number of devices in use will continue to grow exponentially, and we are only just starting to comprehend the full potential of IoT. Gartner has predicted that by 2020 there will be 14 billion IoT devices in existence. So, while businesses should be keeping on top of how connected devices can add to business value, they must also keep front of mind how these devices can be safely incorporated into their networks.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/