Jon Lucas, Co-Director of Hyve Managed Hosting, identifies what key steps organisations should be taking in order to protect their business and its customers against IoT security disasters.
According to research from IoT analytics, there are now approximately seven billion IoT (Internet of Things) devices worldwide. In the home these devices are driving automation and smart services, from remotely turning on the heating to streaming content from the web to TVs. So, it’s not too surprising that IoT devices are also starting to show up more and more in business environments, whether as part of IT-driven projects, or brought in under the radar of the IT team, to support business-driven projects.
We’re seeing marketing teams running in-store advertising on digital signage, logistics teams using IoT to track vehicles and deliveries and to monitor temperatures in our data centres. We’re finding new applications of IoT daily to create new ways of doing business or to streamline operations.
Amongst all the hype it’s easy to forget that IoT is still not a mature technology, with security that is not as hardened, well developed or easy to manage compared with other parts of the business infrastructure. This vulnerability is evident in the growing use of botnets of hacked IoT devices to launch Distributed Denial of Service attacks against high profile organisations. In 2016 the Mirai botnet, built from compromised IoT devices like security cameras and home routers, took down much of the Internet for East Coast America. These attacks have grown in both size and sophistication since then according to security company Neustar.
Having compromised IoT devices acting in a botnet is a frustration not a mission critical security risk. However, we’re beginning to see hackers using poorly secured IoT devices as a gateway into corporate networks. Microsoft’s research team found evidence that a Russian hacking group – Strontium – had been using office printers and voice over IP phones as a backdoor into target organisations.
The UK Government believes the threat is serious enough to create new basic security standards for IoT devices. With this in mind, here are five steps to achieving a successful security strategy in an IoT landscape.
Many IoT devices come with default settings and passwords; but businesses must make sure they have changed them pre-emptively, rather than in the face of an attack. Foresight like this should help prevent malware users taking over a device as its administrator. Following the classic set of rules for creating a strong password should do the trick: make sure there is a combination of lowercase and uppercase characters, numbers and symbols. You can also use password generators to create strong passwords. Not including words that make logical sense will also heighten the security of passwords.
Go the extra mile
Many IoT devices automatically come with default passwords and built-in security settings, but it’s generally not advisable to rely solely on these for security, as they can be far less secure in comparison to third-party security software. Investing in some extra security features will help protect IoT devices. For example, installing a VPN onto a device will make it harder for hackers to target appliances, as it will hide its true IP address and secure data that is being transmitted.
Many attacks on IoT devices are generated by networks known as ‘botnets’. A botnet is a group of devices, connected via the Internet, that have been infected with malware. They can then be brought under the control of a malicious actor to deliver DDoS attacks or send spam. The key problem here is that the malware required to create a botnet has varying levels of visibility. More often than not it runs silently in the background.
Businesses should regularly restore IoT devices’ firmware to a known good, secure state after a set time, in order to remove any malware that may be infecting the device. That way, organisations can be safe in the knowledge their devices are threat free.
Don’t ignore device updates
Although these can feel long and tedious, the software updates that manufacturers regularly send out are one of the most important steps to take to keep IoT devices secure. They will mitigate against newly discovered security issues, as well as heighten protection for the future. Businesses that fail to do this risk their devices becoming discoverable and exploitable by hackers, who can then turn them into bots, so it is best to stay one step ahead.
Ensure you have the right expertise
Decision-makers in businesses must evaluate their current cybersecurity strategy and decide whether the business has the right skills in-house in order to secure an IT infrastructure that includes IoT devices. Finding the right people can be hard – unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20% from 1.5 million in 2015, according to the Center for Cyber Safety and Education.
Many SMBs (Small to Medium Businesses) and larger organisations outsource their security processes to managed service providers (MSPs), where they can take advantage of a bigger pool of security tools and expertise.
We are only just beginning to understand the full potential of IoT and the numbers of devices in use will continue to grow exponentially. Gartner has predicted that there will be 14 billion IoT devices in existence by 2020. Businesses should be looking closely at how connected devices can help create business value but also how these devices can be safely added to their networks.