The 5 main considerations in ensuring IoT security for your business

IoT security for your business

With an estimated 200 billion IoT devices deployed by 2020, the age of the Internet of Things (IoT) is upon us. However, it’s important to realise just how precarious IoT security is for businesses in the current landscape. Computers, phones, tablets and any other smart devices, such as digital assistants, can be a point of entry for an attack. From a single compromised or infected device, a threat can spread throughout your entire network.

What makes this harder to police is that most attacks today still rely on human error or social engineering techniques.

However, widespread IoT adoption is now predominantly non-negotiable for businesses in our tech-driven world. So, the answer is not to turn back the clock and scrap IoT usage but to find ways to manage cybersecurity risk within this new paradigm.

With that in mind, the following are five of the top considerations you need to be aware of in relation to how to secure IoT devices for your business:

1.     Establish visibility across all your IoT devices

The first imperative is to know and have sight of your entire ecosystem of IoT devices. Having complete visibility of all your IT assets will assist the prevention of, your response to and recovery from cybersecurity incidents.

This includes knowing precisely how many devices come into contact with your network, their type, what firmware/OS/software they are running and where, when, how and by whom they are used.

Crucially, this will enable your security teams to establish a clearer security perimeter between your network and outside influences.

Woman reading informations about IoT security

Secondly, it will help you track existing IoT security issues for your devices. For example, you will be able to identify which newly revealed zero-day exploits or security advisories apply to devices in your network. This will allow you to quickly update, patch, or apply security workarounds for vulnerable assets.

Thirdly, if an attack does occur, you can work through an organised and accurate inventory of your IT devices. Without a resource like this, the diagnostic process will be massively slowed as you first have to manually try and identify any possibly affected devices and the associated network mappings. Only then will you be able to start isolating, quarantining and sanitising devices. And, if a single device slips through the net, it is highly likely you will have to start the costly process, all over again.

Lastly, this value of this visibility is completed when it comes to carrying out your digital forensics. It will enable you to establish a timeline and chain of events, to trace the origin and behaviour of a threat. This information can help you harden your security against future attacks or aid with recovering from an existing attack.

2.     Enforcing proper Identity Access Management and secure login credentials

Every device on your network is a potential gateway for an attacker. Attackers, on the other hand, still prefer to exploit the human factor to infiltrate business systems. This means that end-user devices are a uniquely vulnerable link within your cybersecurity ecosystem.

One of the easiest and most effective ways to do this is to enforce common-sense security practices. That means using strong passwords, unique passwords across multiple accounts, Single-Sign-On (SSO) access, auto log-out and multi-factor authentication. According to Microsoft’s Alex Weiner, the latter can prevent up to 99.9% of all cybersecurity attacks directed at businesses’ operating systems.

Network cables connected to server

On the other hand, Identity Access Management (IAM) is one of the most challenging considerations when securing your IoT network. IAM is an essential part of IT security concerned with managing digital identities and access to data, systems and resources. It involves the policies, practices and technologies that limit identity-related security risks within a business.

In simple terms, IAM helps you verify that users are really who they say they are, that they have access only to what they need access to and that they are blocked from escalating privileges or unauthorised access to sensitive data/resources.

As many as 75% of businesses that implement an IAM solution report fewer attacks involving unauthorised access. However, by automating and streamlining access management, businesses can also run more efficiently. This is especially true in cloud or hybrid working environments.

Some form of formalised IAM is also required for compliance with frameworks like HIPAA, GDPR, and more.

3.     Training and educating your workforce

As mentioned, the employees using various IoT devices throughout your network are the most vulnerable initial targets for cyber-attacks via social engineering techniques, such as phishing and credential hacking or malware, like Trojans.

Phishing attempts are particularly prevalent and a surprising amount of ‘tech savvy’ individuals fall foul. Attackers have become extremely good at disguising phishing emails as the real deal or domain spoofing legitimate businesses, like banks.

Often, malware is concealed in email attachments in the form of Microsoft Word or Excel documents designed in such a way that a majority of recipients will have no reason to suspect there is anything malicious about it.

Two people chacking iot security on laptop and monitor

This is why in-depth and regularly updated education and training programmes are vital to prepare end-users for various security threats. After all, a business’ network is very often only as secure as its most unsuspecting or untrained employee.

Among other important factors, your employees need to know the following to maintain IoT security:

  • The most common and significant cybersecurity risks to your business
  • How to spot phishing, social engineering, domain spoofing and similar types of attacks
  • Common-sense security hygiene for their personal and work devices and accounts
  • What protocols to follow when they suspect they have fallen victim to an attack

Phish Scale is an example of this type of training, developed specifically to enable workforces to prevent phishing attempts. It uses real-world scenarios and a rating system for identifying phishing attempts and establishing your trainees’ readiness.

4.     Practising proper cybersecurity hygiene

There is a huge range of everyday practices that can help you maintain a secure IoT environment. In fact, there are probably too many to list in just this section.

The most basic and essential measure is to have top-notch endpoint security installed on all your devices. And just as crucial, to keep it up to date along with your operating system, firmware and other related software.

On the individual device level, good hygiene also involves routine security scans and properly sanitising devices before changing hands or interacting with new devices.

However, it would be best if you also considered cybersecurity hygiene across your entire infrastructure. For example, do you have adequate firewalls and network security measures in place between your network and the outside world and between various network devices or groups?

IoT device security

Do you use secure protocols to encrypt communication between devices or during upload/download? Do you use secure (e.g., WPA2) or insecure (WPA, WEP) network connection protocols?

You may also want to implement secure backup strategies, such as the 3-2-1 principle. In short, it states that you should have at least three copies of your backups. Two should be stored locally, but on different mediums, with another copy in a remote/offline location.

In addition to preventing attacks altogether, these methods will assist in both limiting the spread and mitigating the damage of an attack.

5.     Implement physical IoT security measures

Firewalls, reverse proxies, endpoint security, etc., etc. We get so caught up in the idea of cybersecurity attacks only happening in the digital realm that we forget we are still dealing with physical devices.

In fact, for some cybersecurity or data privacy protection regulations, such as HIPAA (Health Insurance Portability and Accountability Act), physical security is a requirement. An example would be a life-preserving oxygen machine or electronic IV. Without any physical security measures, what is to prevent someone from simply walking in and turning it off, maliciously or by accident?

Security iot camera mounted to the wall

As a more general example, this would be akin to someone plugging a USB into a device with sensitive information and downloading it in person.

Depending on what industry you’re in and what devices you use, the risk of this type of threat can vary. However, it plays some role in nearly any context.

There is a long list of possible physical cybersecurity measures that can be useful depending on your unique situation:

  • Cameras
  • Security checkpoints
  • Biometrics
  • Blocking unrecognised devices
  • Tamper-proof device cases or measures
  • The ability to remotely deactivate/block access to devices

IoT security Conclusion

Security is one of the most prevalent IoT problems facing businesses today.

The best way to counter threats is to consider and adopt multiple security practices. For example, if an employee’s tablet or laptop is stolen, you can prevent a potential cybersecurity event through considerations #3 or #5. With auto log-out and MFA, the attacker might be unable to access any accounts of associated apps on the device. Or, the device can be blocked using a remote trigger as soon as it’s reported missing.

Man managing security of business

The most important thing is that you businesses take a clear view on how each of these IoT security considerations should sit together to best fit their sector and/or business processes. While no IoT security perimeter is completely attack-proof, you can deter most attacks and significantly limit their impact.

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more