IoT security: Why you need to encrypt your data

Author: David Grady

The number of devices tied to the Internet of Things (IoT)—the interconnected devices that connect to the internet without humans—is skyrocketing. While this exponential growth generates tremendous business opportunities, there are also a lot of IoT security risks that need to be assessed and mitigated.

IoT devices are essential for digital transformation, and they're already present in many aspects of our lives. Whether it's smart appliances, security systems at home or in the office, digital assistants such as Alexa and Google Home, healthcare devices or industrial machinery, the use cases for IoT devices are seemingly endless.

The primary security concern is that every one of these devices may be connected to the internet. If you're using IoT for your business, hackers could connect to that device and use it to reach your network.

IoT challenges

If organizations are reluctant to adopt new technology, they could place themselves at risk of losing their competitive edge and their share of the market. As the need for digital transformation ramps up, organizations won't be able to afford to wait before adopting some form of IoT. But security protocols aren't being developed as fast, and, unfortunately, vendors don't have the luxury of waiting until those protocols are developed.

By default, many IoT devices are not particularly secure. They might have poor password requirements or the vendor might not keep the software or firmware up to date. And if a device stores any data, it could be easily readable to anyone with access. This is why data encryption is so critical for IoT security.

Why encryption is the key to security

When done effectively, encryption renders data unreadable to anyone without authorized access. Once data is encrypted, a key is required to unencrypt it, safeguarding the data from unauthorized access or use. The threat landscape is continually evolving; protecting your data with some form of encryption is necessary to mitigate risks.

Enabling encryption, in theory, isn't an insurmountable task. Every current desktop and mobile operating system offers a simple encryption functionality, and it's easy to enable. While this basic encryption might not work for every business, from an operations standpoint, it offers the agility to adapt and scale encryption levels where necessary.

Encryption is still inherently complex

Despite the many benefits that encryption offers, it still comes with several obstacles. Technological leaps have streamlined the process, but the scope will determine how costly deployment will be. However, determining that scope can be a significant hurdle. And underscoring that challenge: Encryption requires processing power. The better and stronger your encryption, the more computing horsepower you need to run it.

Finally, there are myriad encryption methods to choose from. As a general rule, though, the National Institute of Standards and Technology recommends the Advanced Encryption Standard because of its practicality, speed, flexibility and encryption strength.

Practical guidelines

Organizations that use, or are considering using, IoT devices must first do their due diligence on vendors to ensure that any data stored and transmitted is properly encrypted. IoT is another link in the security chain and if even one weak link is compromised, the whole chain can collapse. As such, each IoT device needs to be tested to identify any weaknesses and the best encryption solution found and implemented—so long as it can be customized to match the environment it's encrypting.

To make life easier for you, Verizon's IoT Security Credentialing platform provides flexible tools and services for a comprehensive approach to maintaining the security of your IoT apps and devices. This includes three layers of protection, an over-the-top layer of security for devices and apps, data encryption and trusted user and device authentication to help your IoT deployment.

David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.