IoT devices present an attack vector that many organizations have not had to think about in the past.
According to a new study from Kaspersky , 64% of companies use Internet of Things (IoT) solutions and 57% cite that their biggest concern with the technology is a cybersecurity breach. However, 43% report that at least one type of IoT device used is not properly secured. While this may not be the majority, the number of IoT devices multiplied by each company results in a significant amount of vulnerability in the business community. And that number is growing, with the global number of connected IoT devices predicted to increase by 9% by 2025
Cyberattacks are among the most disruptive things that can happen to any company, taking valuable resources away from critical tasks and diminishing the company's brand. IoT devices present an attack vector that many organizations have not had to think about in the past. Therefore, if your company is concerned about cybersecurity – and it should be – you must think beyond protecting traditional networks and devices. In the following sections, we explore steps you can take to improve IoT cybersecurity.
IoT in specific sectors
Before addressing IoT cybersecurity, it's important to understand how it is used in your industry. Here are some examples.
- Health care. Patients with chronic illnesses use wearable IoT devices such as fitness trackers, pulse oximeters, and blood pressure watches to monitor their condition and send information about it to healthcare professionals. Other types of devices are used in hospitals to monitor the status of patients and medical machines.
- Manufacturing. To improve manufacturing operations, IoT sensors can be attached to machines and equipment to collect data and ensure optimal functioning. This information allows operators to plan and schedule maintenance, repair and replacement in alignment with business processes and cash flow.
- Logistics. IoT sensors are used to monitor the movement of shipments, provide data on information stored in warehouses, and monitor storage and transportation conditions.
- Automotive. Connected devices allow cars and trucks to stay connected to valuable services such as safety networks, drive autonomously, alert drivers to needed maintenance, and track fleet vehicles.
- Retail. Sensor-based capabilities enable physical retail establishments to provide new shopping experiences such as optimized fitting rooms, perfectly timed product information, and out-of-the-box functionality.
Understand the situation
In the past, the number of entry points for cybercriminals was limited. Now, the billions of IoT units in operation create additional attack vectors for hackers to enter enterprise networks, as the number of botnet DDoS attacks on IoT devices continues to grow. These attacks prevent websites from functioning, causing untold revenue and loss of reputation. Other types of attacks can lead to data loss and proprietary information being shared in public or with competitors.
The first step to preventing such scenarios while ensuring robust IoT cybersecurity is to get a sense of your entire digital ecosystem, from sensors in shipping crates or production machines to the smart refrigerator in the break room. Since multiple departments may have deployed smart devices on their own, it is important for IT to gather all of this information and create a database of each device and evaluate each device for risk factors.
Develop Procedures
The next step is to develop processes to close security gaps. The following specific actions are good starting points.
- Use a strict access policy. According to a recent TechRepublic article, “A Zero Trust approach to security assumes that every network is breached, every machine is compromised, and every user is (unwittingly or not) at risk.”
- Create a vulnerability management program. A vulnerability management program establishes an ongoing process for identifying and mitigating vulnerabilities.
- Use a dedicated IoT gateway. An IoT gateway is a physical or virtual platform that connects IoT devices – such as sensors, IoT modules, and smart devices – to the cloud.
- Ensure IoT governance. This approach includes rigorous checks and authentication of each new device, following manufacturer guidelines, prioritizing data privacy and ensuring compliance with security requirements.
- Develop a cyber immunity approach. Cyber immunity means that IoT devices are linked through other devices without additional security functionality, making the systems immune to certain cyber attacks.
Once these procedures are implemented, each device must be continuously monitored, including regular security audits.
Mitigate third-party risks
Even if you are doing everything you can to provide robust cybersecurity in-house, you may encounter additional problems with third-party vendors. For example, the vendor's employees may have access to your networks. While you want to think the best of them, you should treat them as if they were your employee, with Zero Trust measures in place. Not doing so is putting your entire organization at risk.
In addition to creating processes for internal security review and repair, you should evaluate the security posture of the companies you choose to work with and ensure they are willing to work within your security parameters. Make this step part of the vetting process for each potential new supplier. Also be sure to review your current suppliers to ensure they are in compliance with your policies.
Create a safety manual
Once you've recognized your industry's specific risk factors, taken stock of your digital ecosystem, and developed procedures to mitigate internal and third-party risks, document all of this information in a cybersecurity manual that outlines your policies. It should include how you will protect your systems, detect and respond to threats, communicate between team members, and recover data in the event of a breach.
Consider the alternatives
So, is your IoT security robust enough? Probably not. The best path forward is to assume that this is not the case and go from there to determine where you are now and what your next steps should be. All this effort may seem like a lot of work, but consider the alternatives, which include an at-risk system that you always have to worry about and the potential for a data disaster that you may not be able to recover from.
If you liked this, be sure to check out our other IoT articles.
- Staff augmentation for the Internet of Things
- How to assess security and privacy strengths and weaknesses in IoT devices
- Chips, supply chains and IoT: challenges for a post-pandemic world
- Tackling food insecurity through technology