In 2016, cybersecurity software provider BlackBerry hacked a smart tea kettle at its Security Summit. It was a sobering demonstration of the fact that with the proliferation of the Internet of Things, corporate threat surfaces now comprise far more than computers and smartphones. It’s been almost four years since that demonstration, and not much has changed.
As revealed in a test carried out by cybersecurity specialist Palo Alto Networks, the IoT is still a cybersecurity nightmare. The test, which analyzed 1.2 million real-world devices, revealed the following:
- Nearly 98 percent of the traffic sent by IoT devices is unencrypted.
- Most networks comingle IoT devices with traditional computing hardware, opening them up to a range of security threats.
- 57 percent of IoT devices are currently vulnerable to what the analyst classed as ‘medium- to high-severity attacks.’
These are sobering statistics, which together speak to the importance of treating IoT as a central security concern for your business. Unfortunately, many organizations still don’t take it seriously enough. Until they do, botnets like Mirai and data breaches like 2017’s casino hack (reported here by Forbes) are only the beginning.
You cannot afford to be complacent about the security of your networks and servers, especially now. Your first step should be taking an inventory of which IoT devices are able to connect to your network. A complete discovery audit is necessary, giving you a full picture of every single connected endpoint.
Next, prioritize devices that do not feasibly need to be connected to your network. These may include smartwatches, fitness trackers, and kitchen appliances, many of which may have connected automatically and without your foreknowledge. You should also focus on technology that belongs to your vendors; third-party devices should never have a permanent access link.
While examining a connected device, don’t sop and at merely identifying its origin. Analyze it to determine what data it is sending and receiving, and what assets it might be able to access. Find out what it is doing, and what it could potentially do.
For an IoT device that you absolutely must provide with Internet access, configure a separate guest network, air-gapped from your primary network. This way, employees won’t have to give up on the convenience of smart appliances, and you won’t need to worry as much about someone piggybacking a smart endpoint as an attack vector. With careful network design, you can protect yourself against unauthorized access.
You should also turn an eye to your suppliers and vendors. Question them about their security practices as part of the decision and agreement process, and do what you can to monitor and control their practices. This may seem like an impossible task, so well-written contracts and regular third-party security audits are critical.
As for IoT vendors, be wary. While most will claim their products are secure, there’s not yet an authoritative certification process. There are standards emerging, yes, but they are doing so slowly – for the moment, IoT security is in many ways a free for all.
Where voice-activated assistants like Google, Siri, and Alexa are concerned, your business must weigh the security risks they represent versus the convenience they bring to the workplace. There is ample evidence that they may at least passively collect conversation data from their surroundings. As such, they must be kept out of any workplaces where sensitive information is discussed, particularly if you operate in a regulated industry.
As for your employees, you need to coach them on IoT security hygiene.
Many of them are now telecommuting, and likely have multiple smart devices on their home networks. If even one of the systems or apps they use is subject to a breach, that has the potential to put your business’s data at risk, as well. If possible, seek out a remote work solution that allows you to set policies on acceptable actions, data collection, and software updates, and one which can sandbox off corporate data so it’s not stored on personal devices.
Lastly, update your crisis response processes to include IoT data breaches. They should be treated the same any critical incident, with regular drills and exercises to promote preparedness. Be pragmatic, and recognize that you cannot focus your attention everywhere, and should instead hone in on the areas of greatest risk.
For better or worse, the Internet of Things is here to stay. Smart devices are everywhere, and hackers are having a field day with them. Unfortunately, the convenience they offer is such that you cannot eliminate them entirely.
Instead, you must simply do everything in your power to ensure the safety and containment of your data. If that makes you nervous, and this whole scenario looks like little more than ordered chaos, that’s good news. It means you have a solid understanding of network security, coupled with the skills to implement the right strategies to protect your business.