The Myth of IoT Security
After decades of digitizing all aspects of security, claiming that people are the weakest link—and they still are—it’s easy to turn a blind eye to IoT networks because they’re technology-based. But replacing physical tasks with remote gadgets and devices that do them better isn’t always a flawless solution.
You can think of implementing additional IoT devices and networks to a business, like adding more doors to your offices. The more entryways that you have, the more locks, keys, and security cameras you’re going to need to keep them in check.
But while that’s all well and good with devices designed to support cybersecurity, like laptops, tablets, and desktop devices, IoT devices are like paper-thin doors with a plastic lock—you can’t rely on the manufacturer’s security features for protection. Drastic changes are needed.
Over the past couple of years, 70% of organizations worldwide suffered from an IoT-based cyberattack, the most notable incident being the casino’s database that was hacked through a fish tank thermometer. This wasn’t a case of using fancy tech or wiring the thermometer to stealthily gain access to the network. The approach was relatively straightforward because the thermometer was an IoT device connected to the internet and the casino’s internal network.
In addition to the negligence that often leaves IoT devices vulnerable to attacks, they weren’t manufactured with security in mind in the first place. They’re made for productivity and convenience.
Limited Computational Power
Most IoT devices are designed to accomplish a handful of tasks at best. Since the tasks are often quite simple and don’t require a lot of computational power, manufacturers don’t bother strengthening their device’s capacity to keep the price point reasonable. However, proper security measures often need adequate computation power to function.
Old Operating Systems and a Lack of Updates
Since the required function of the IoT device doesn’t change over time, most manufacturers don’t bother continuously sending operating system updates to the device. This leaves them vulnerable to both old and new methods of attacks without the ability to patch gaps.
Poor Physical Security
Attackers won’t even have to breach the IoT device itself to access your network if they can have access to the device itself. Unlike staff laptops and tablets that carry sensitive files and data, IoT devices aren’t as heavily guarded and often get left unsupervised in remote locations for long stretches of time. The lack of physical security measures leaves the device at a high risk of tampering—through sabotaging the device or directly installing malware or spyware through one of its ports.
Insecure Communication Protocols
Most IoT devices don’t use secure communication protocols when transferring data between the device itself, its cloud service, and your company’s main network. For instance, some man-in-the-middle (MITM) attacks take advantage of insecure key exchange practices to intercept and access data during transfer.
How to Secure Your IoT Devices
In spite of all the downsides of using IoT devices, they don’t necessarily mean foregoing them and their benefits altogether just yet. There are multiple approaches that you can take to securing IoT devices and minimizing the risks, ranging in complexity and significance.
Change Passwords
This seems like an obvious first step, but 47% of IT managers don’t change the default passwords and settings of IoT devices upon connecting them to their internal network. The same rules that apply to account and devices passwords should be used on IoT devices:
Change the password every 30 to 90 days. Use a complex mix of random letters, numbers, and symbols in varying cases in passwords. Use two- or multi-factor authentication. Use a password manager—or forgo written passwords altogether for passwordless logins. Avoid sharing passwords among employees through insecure communication channels.
Keep off the Open Internet
IoT devices can only do their job properly if they’re connected to a bigger network or a device or cloud that it can report back to. However, it’s best to keep IoT devices strictly connected to your internal network instead of the open internet. That’s because, according to NETSCOUT’s Threat Intelligence Report, IoT devices get attacked approximately five minutes after being connected to the internet.
Beware of Auto-Connecting
Most IoT and smart devices have the auto-connect option to a network switched on by default. While this, in itself, is a security risk to the average person, it could increase the risk of an IoT-sourced cyberattack for companies and corporations.
Approximately two-thirds of global organizations found over 1,000 personal and IoT devices connected to the company’s network. And unlike company-issued IoT services, you can’t ensure that all of them have had the necessary improvements made to their security.
In addition to setting up a barrier preventing any unauthorized device from connecting to the network, consider implementing a monitoring system. You could use it to keep a close eye on all your device’s health and to alert you if anything is out of the ordinary, like unusual data flow.
Disable All Unnecessary Features
Most IoT devices come with a number of default settings turned on that work toward convenience and productivity instead of security. Upon adding a new IoT to your network, go through its settings and additional features and disable anything that isn’t of use. Any type of data or additional service that the device offers can be an underlying security vulnerability.
Stick to Security-Oriented IoT Manufacturers
Software updates aren’t as frequent when it comes to IoT devices. And when they do happen, they often focus on improving the user interface and implementing a new feature or two. By only sourcing IoT devices from security-oriented companies, you can ensure that their regular updates also include a security update and a report of fixed bugs and vulnerabilities.