The most overlooked threat to your network? IoT devices.
Published: Mar 8, 2019
As the Internet of Things matures, IoT devices are becoming a common part of many industries. But even as the devices—from sensors to cameras to smart buildings and smart factory components—proliferate, they’re less apt to be protected from data breaches and cyberattacks.
These devices and the data they transmit open up another area of enterprise vulnerability. In a recent study by DigiCert, companies reported losing money due to a lack of best practices when it comes to IoT operations, and 82% of respondents reported that they were concerned about IoT security challenges.
This needs to change. For companies that want to take advantage of the efficiencies and information that IoT offers, prioritizing device and data security is paramount. Those that understand the risk and take strategic steps to reduce it will be more apt to make the most of their device investment.
The risk rises
The DigiCert report notes that even one third of top tier companies—those that demonstrated aptitude in reducing IoT security threats—still experienced a security incident in the two years the survey covered. The impacts were significant: Among the companies with the most IoT challenges, 25% experienced losses of more than $34 million.
While the number of IoT devices grows, the demand for newer and cheaper devices could increase the risk even further. Some industry observers have noted that manufacturers may be less inclined to incorporate security into their devices in order to better compete with lower prices on the market.
Another important aspect to consider is the security of the data that IoT devices collect and transmit. Some estimates put the amount of data generated by IoT at 5 quintillion bytes a day. Protecting this massive amount of information at the endpoints and in transit should be a key part of any IoT security strategy. Several factors come into play including the risks of transmitting unencrypted data and the logistics of securely storing it. As you plan and implement your network and security architecture, here are some important points to consider:
IoT device security and data
Fortunately, there is a lot IT teams can do to improve IoT security now and going forward. The first step is developing a strategy for evaluating and monitoring device and data security on a regular basis. Consider implementing the following best practices to create an IoT device security strategy that helps protect your organization:
Review device security before you buy. Ask for any security reports provided by the vendor. Review any security claims to determine their validity, and research any noted potential vulnerabilities. Also consider all connected devices– even those that may seem ancillary to your daily operations. Case in point: Hackers once accessed a casino’s customer database via the smart thermometer in a fish tank.
Harden all your IoT devices. At the least, make sure that the device itself is tamper resistant. Then experts recommend a multi-prong approach to device security that includes securing vulnerabilities such as TCP/UDP ports, open password prompts, places to insert code, and even radio connections. In addition, once devices are in use, change the passwords to complex passwords that are difficult to replicate and can reduce the risk of a breach.
Stay up-to-date on security patches. Create a schedule for regularly updating security patches for IoT devices. However, many vendors don’t create patchable devices from the start—which is why the aforementioned step of researching devices before you buy is critical.
Restrict device access. Establish a list of who is allowed to access devices and for what reasons, and keep it as current—and as small—as possible. Also review which of your organization’s contractors or partners are allowed to access devices, and cull this list often to help reduce the risk of third-party breaches.
Beyond devices, secure your networks. Take advantage of strong user authentication protocols so only authorized users have access to your networks. Context-aware authentication is especially useful with IoT applications, providing an added element of security. Network layer and transport layer encryption is also best practice for helping decrease the risk of an attack.
Encrypt user and application data. IoT devices are often transmitting private, personal data. Encrypting this information in-transit and at-rest should be an absolute priority. If not, your organization could face not only data loss and breaches, but penalties and reputation damage as well.
IoT opens up a world of possibilities, both for your business and for bad actors. Treat your network of devices with the same scrutiny and consider how your enterprise is improving IoT device security; otherwise you face risks that you can’t aniticipate.
Learn more on how you can help protect your valuable data with the Verizon Risk Report.