With an estimated 200 billion IoT devices deployed by 2020, the age of the Internet of Things (IoT) is upon us. However, it’s important to realise just how precarious IoT security is for businesses in the current landscape. Computers, phones, tablets and any other smart devices, such as digital assistants, can be a point of entry for an attack. From a single compromised or infected device, a threat can spread throughout your entire network.
What makes this harder to police is that most attacks today still rely on human error or social engineering techniques.
However, widespread IoT adoption is now predominantly non-negotiable for businesses in our tech-driven world. So, the answer is not to turn back the clock and scrap IoT usage but to find ways to manage cybersecurity risk within this new paradigm.
With that in mind, the following are five of the top considerations you need to be aware of in relation to how to secure IoT devices for your business:
1. Establish visibility across all your IoT devices
The first imperative is to know and have sight of your entire ecosystem of IoT devices. Having complete visibility of all your IT assets will assist the prevention of, your response to and recovery from cybersecurity incidents.
This includes knowing precisely how many devices come into contact with your network, their type, what firmware/OS/software they are running and where, when, how and by whom they are used.
Crucially, this will enable your security teams to establish a clearer security perimeter between your network and outside influences.
Secondly, it will help you track existing IoT security issues for your devices. For example, you will be able to identify which newly revealed zero-day exploits or security advisories apply to devices in your network. This will allow you to quickly update, patch, or apply security workarounds for vulnerable assets.
Thirdly, if an attack does occur, you can work through an organised and accurate inventory of your IT devices. Without a resource like this, the diagnostic process will be massively slowed as you first have to manually try and identify any possibly affected devices and the associated network mappings. Only then will you be able to start isolating, quarantining and sanitising devices. And, if a single device slips through the net, it is highly likely you will have to start the costly process, all over again.
Lastly, this value of this visibility is completed when it comes to carrying out your digital forensics. It will enable you to establish a timeline and chain of events, to trace the origin and behaviour of a threat. This information can help you harden your security against future attacks or aid with recovering from an existing attack.
2. Enforcing proper Identity Access Management and secure login credentials
Every device on your network is a potential gateway for an attacker. Attackers, on the other hand, still prefer to exploit the human factor to infiltrate business systems. This means that end-user devices are a uniquely vulnerable link within your cybersecurity ecosystem.
One of the easiest and most effective ways to do this is to enforce common-sense security practices. That means using strong passwords, unique passwords across multiple accounts, Single-Sign-On (SSO) access, auto log-out and multi-factor authentication. According to Microsoft’s Alex Weiner, the latter can prevent up to 99.9% of all cybersecurity attacks directed at businesses’ operating systems.
On the other hand, Identity Access Management (IAM) is one of the most challenging considerations when securing your IoT network. IAM is an essential part of IT security concerned with managing digital identities and access to data, systems and resources. It involves the policies, practices and technologies that limit identity-related security risks within a business.
In simple terms, IAM helps you verify that users are really who they say they are, that they have access only to what they need access to and that they are blocked from escalating privileges or unauthorised access to sensitive data/resources.
As many as 75% of businesses that implement an IAM solution report fewer attacks involving unauthorised access. However, by automating and streamlining access management, businesses can also run more efficiently. This is especially true in cloud or hybrid working environments.
Some form of formalised IAM is also required for compliance with frameworks like HIPAA, GDPR, and more.
3. Training and educating your workforce
As mentioned, the employees using various IoT devices throughout your network are the most vulnerable initial targets for cyber-attacks via social engineering techniques, such as phishing and credential hacking or malware, like Trojans.
Phishing attempts are particularly prevalent and a surprising amount of ‘tech savvy’ individuals fall foul. Attackers have become extremely good at disguising phishing emails as the real deal or domain spoofing legitimate businesses, like banks.
Often, malware is concealed in email attachments in the form of Microsoft Word or Excel documents designed in such a way that a majority of recipients will have no reason to suspect there is anything malicious about it.
This is why in-depth and regularly updated education and training programmes are vital to prepare end-users for various security threats. After all, a business’ network is very often only as secure as its most unsuspecting or untrained employee.
Among other important factors, your employees need to know the following to maintain IoT security:
- The most common and significant cybersecurity risks to your business
- How to spot phishing, social engineering, domain spoofing and similar types of attacks
- Common-sense security hygiene for their personal and work devices and accounts
- What protocols to follow when they suspect they have fallen victim to an attack
Phish Scale is an example of this type of training, developed specifically to enable workforces to prevent phishing attempts. It uses real-world scenarios and a rating system for identifying phishing attempts and establishing your trainees’ readiness.
4. Practising proper cybersecurity hygiene
There is a huge range of everyday practices that can help you maintain a secure IoT environment. In fact, there are probably too many to list in just this section.
The most basic and essential measure is to have top-notch endpoint security installed on all your devices. And just as crucial, to keep it up to date along with your operating system, firmware and other related software.
On the individual device level, good hygiene also involves routine security scans and properly sanitising devices before changing hands or interacting with new devices.
However, it would be best if you also considered cybersecurity hygiene across your entire infrastructure. For example, do you have adequate firewalls and network security measures in place between your network and the outside world and between various network devices or groups?
Do you use secure protocols to encrypt communication between devices or during upload/download? Do you use secure (e.g., WPA2) or insecure (WPA, WEP) network connection protocols?
You may also want to implement secure backup strategies, such as the 3-2-1 principle. In short, it states that you should have at least three copies of your backups. Two should be stored locally, but on different mediums, with another copy in a remote/offline location.
In addition to preventing attacks altogether, these methods will assist in both limiting the spread and mitigating the damage of an attack.
5. Implement physical IoT security measures
Firewalls, reverse proxies, endpoint security, etc., etc. We get so caught up in the idea of cybersecurity attacks only happening in the digital realm that we forget we are still dealing with physical devices.
In fact, for some cybersecurity or data privacy protection regulations, such as HIPAA (Health Insurance Portability and Accountability Act), physical security is a requirement. An example would be a life-preserving oxygen machine or electronic IV. Without any physical security measures, what is to prevent someone from simply walking in and turning it off, maliciously or by accident?
As a more general example, this would be akin to someone plugging a USB into a device with sensitive information and downloading it in person.
Depending on what industry you’re in and what devices you use, the risk of this type of threat can vary. However, it plays some role in nearly any context.
There is a long list of possible physical cybersecurity measures that can be useful depending on your unique situation:
- Security checkpoints
- Blocking unrecognised devices
- Tamper-proof device cases or measures
- The ability to remotely deactivate/block access to devices
IoT security Conclusion
The best way to counter threats is to consider and adopt multiple security practices. For example, if an employee’s tablet or laptop is stolen, you can prevent a potential cybersecurity event through considerations #3 or #5. With auto log-out and MFA, the attacker might be unable to access any accounts of associated apps on the device. Or, the device can be blocked using a remote trigger as soon as it’s reported missing.
The most important thing is that you businesses take a clear view on how each of these IoT security considerations should sit together to best fit their sector and/or business processes. While no IoT security perimeter is completely attack-proof, you can deter most attacks and significantly limit their impact.