The IoT (Internet of Things) has garnered massive popularity over the past few years. Businesses around the world are leveraging the power of the IoT to put efficient processes in place, enhance asset utilization, increase productivity, and cut costs. However, it should also be assessed what risks are associated with using these devices and how to address these risks.
The Ponemon Institute asked 605 security experts about any data breaches related to IoT devices in their organizations. In 2017, as many as 15% said yes, their organizations had experienced a cyberattack or data breach due to unsecured IoT devices within the past year. That number increased to 21% in 2018, suggesting a rise in IoT-related security breaches.
Irdeto surveyed 700 organizations from different industries and found out that 80% of them experienced IoT-related cyberattacks in the past 12 months. 90% of these attacks resulted in operational downtime, and compromised data/security of the end-user.
These attacks not only question the integrity of IoT devices, but they also put a massive amount of data at risk. The biggest problem with IoT devices is that there is no set standard of security because of their wide, non-standard purposes.
Securing these devices requires securing their infrastructure that combine to make up the IoT system. These include hardware, sensors, connectors, gateways, and application software.
A typical IoT system needs to be divided into 4 different parts before it can be assessed for threats. These parts have different attack surfaces that need to be addressed to secure the network.
Even though there are many different attack surfaces, as mentioned above, organizations are continually increasing the use of IoT devices. Healthcare, food production, manufacturing, finance, and energy are some industries IoT has remodeled in the past few years.
For instance, IoT devices have enabled remote monitoring of patients in the healthcare sector possible, enhancing the potential to keep patients healthy and safe, while empowering doctors to deliver superlative care.
Another great example of how the IoT has transformed the way industries work is in industrial manufacturing. IoT has taken intelligent devices and networked sensors and put those technologies to use directly on the manufacturing floor, collecting important data to drive predictive analytics and artificial intelligence.
With such a great response, even the manufacturers are rolling out new devices in short periods. The IoT industry was $190 billion in 2018, and it is expected to reach $1102.6 billion by 2026.
This rapid demand keeps developers on their toes to make the devices more and more stable, sometimes overlooking the security part.
The number of devices is directly proportional to potential data breaches. Not just data, the scope of IoT devices goes beyond that as they are capable of actual physical attacks.
For example, if there are IoT security cameras in an organization, they can be hacked to get a blueprint of the floor plan to carry out an organized heist.
With such precarious implications, securing IoT devices has become essential for any organization. Every CISO (Chief Information Security Officer) should be aware of the following practices that can help them secure IoT devices on their networks and minimize the possibility of an attack.
It is essential to know which devices are connected to your network and what their uses are. While all devices need to be secured, you must prioritize the devices that handle the most sensitive information.
During this discovery audit, you may find some devices that shouldn’t be on your network. These devices could be your employees’, or your partners’ personal assistants, or smartwatches that connected to your secure network.
These devices may have had temporary connectivity, but somehow, they received permanent access. To help secure your business from IoT-related data breaches, identify any such devices and remove them from your network or segment them into a different untrusted network.
There are various stakeholders of IoT devices, and any plan to secure these devices will have to be a collective effort.
Business units will have to work together to secure the devices with multi-layered protection to thwart attackers. At a minimum, the security layers will delay an attacker allowing time for detection and response to a given attack.
It should also be noted that the devices that hold the most sensitive information should be on a separate network altogether. The better you can protect your devices from the network; the more your network will be protected.
Businesses that provide goods and services to you can also cause security breaches on your network.
For example, the infamous Target data breach happened because their HVAC (heating, ventilation, and air conditioning) subcontractor stored network credentials on their system, which was later compromised due to an IoT-related attack.
Your vendors can put you at risk of an IoT-related data breach. Which is why it is essential to have a vendor risk management program.
Many security teams find it difficult to monitor what data their vendors and partners store, and how secure their networks are.
54% of respondents in the Ponemon study said that they are not sure if the IoT security policies of their vendors are enough to stop a breach. 44% said that the complications of IoT devices and the number of vendors/partners make this task even more difficult.
The best way to deal with this problem is to identify and test the security levels of any IoT product you buy for your enterprise.
If you find the security provided by them is sufficient, you can put it in the contract to make sure that they continue to provide the same level of security.
Test their commitment every year, and let them know of any discrepancies related to their network and system security. If they fail to fix it in the stipulated time, you can hold them liable for breach of contract and look for other solutions that are committed to security.
IoT vendors will go out of their way to tell you how secure their devices are. They may boast about their various certifications but be unable to provide validation because of the complex nature of IoT devices.
There are some organizations like NIST and Underwriter Labs (UL), that are developing standard certifications for IoT devices. While they may be far from a definitive result, they are working towards the same goal – to develop a standard for IoT devices that will help prevent IoT-related data breaches.
Until these organizations find a final result, IoT security should become an integral part of your overall efforts at securing your company’s network. The standards set by the manufacturers are not yet enough.
Securing OS and firmware from IoT devices, and providing API security to third party integrations are some of the most critical parts of this process.
Internet-related threats are developing and multiplying every second. The best a CISO can do is to regularly study these threats, and equip all devices with the latest security patches for known threats.
However, it is often difficult to patch these devices so it is recommended to have a patch strategy or be able to pull them offline easily to avoid disruptions in user experience or causing unplanned downtime.
Constant monitoring of IoT devices can also help you detect attacks at an early stage and limit the damage caused.
Cyberattack drills can also help you prepare for the worst-case scenario. Simulate an IoT-related breach through a different form of attack every time to keep your security team prepared. Document every detail, and try to beat your achievements from the previous drill to improve your responsiveness against such attacks.
Setting up various forms of security measures, like firewalls, spam filters, two-factor authentication, etc. will be of no use if you leave the IoT backdoor open.
The time has come for manufacturers to pay equal attention to the security of their devices as to any other part of their business.
At present, IoT security may feel like a completely unorganized area, and that is partially true. The more time companies waste, the more data breaches will happen because of IoT devices.
Standards for IoT security need to be set so that organizations can continue to use these devices without hesitation.
The digital era has replaced the long-lasting gaming culture in recent years, especially for GenZ.… Read More
Live visit programming might be great if you believe that a magnificent way should be… Read More
Imagine a world where your donations can traverse the globe in seconds, bypassing traditional banking… Read More
Resource management is strategic not only for the success of projects but also for the… Read More
When your two year mobile phone contract comes to an end, you might find yourself… Read More
In an era where business dynamics shift with dizzying speed, the difference between success and… Read More