Organizations of all sizes are embracing the Internet of Things (IoT), using it to increase efficiency and productivity. What they often don’t realize, however, is that all IoT devices come with new risks that must be properly addressed to keep important data and systems protected from cybercriminals. In this article, we explain what these risks are and discuss what organizations can do to protect themselves.
What Is the IoT?
The IoT is no longer just a buzzword. It’s a massive network of physical devices that connect to the internet to transfer data and provide rich services. The devices that make up the IoT are as varied as they are numerous, and they include everything from connected industrial machines to smart sensors to intelligent security cameras to internet-enabled appliances and trendy wearables.
By 2022, Juniper Research estimates that the number of IoT devices will exceed 50 billion, up from an estimated 21 billion in 2018. There are many reasons why the IoT is expanding at such a staggering rate. Organizations across all sectors use IoT devices to streamline operations and drive profitability, individuals enjoy the convenience of connected living, and governments are excited by the ability to predict needs before they arise, just to give a few examples.
If IoT keeps growing at the current rate (and there’s no reason to doubt that it will) its total economic impact could range between $4 and $11 trillion per year by 2025, according to research by the McKinsey Global Institute.
The problem is that the rapid pace of innovation in the IoT sector, as well as the inconsistent standards for security among the manufacturers of IoT devices, make it difficult to ensure the security of these devices. One survey conducted by the Ponemon Institute and Shared Assessments indicates that 76 percent of security professionals believe that cyberattacks on their organization
are likely to be executed through unsecured IoT devices.
6 Critical Cybersecurity Policies Every Organization Must Have
Understanding IoT Security Threats
All IoT devices come with certain security risks that stem from their internet-connected nature. When discussing these risks, cybersecurity experts often use the term attack surface to describe the number of potential ways an attacker can gain unauthorized access to a network in order to deliver a payload or malicious outcome.
One of the major issues with IoT devices is that they greatly expand the attack surface, giving cybercriminals more doors to unlock and making it much more difficult for the IT department to prevent them from doing so.
As if that wasn’t bad enough, IoT device manufacturers have yet to make security their top priority. Researchers from the Palo Alto Networks Unit 42 research team found that 98 percent of all IoT device traffic is unencrypted. They also found that IoT device manufacturers rely heavily on outdated legacy protocols and operating systems, allowing cybercriminals to use old attack techniques that most IT departments have not dealt with in years.
Organizations that allow poorly secured IoT devices to operate on their networks face the following IoT security threats:
- Data breaches: IoT devices constantly process massive volumes of data, sometimes of a highly sensitive nature (think office security systems). Organizations must prevent the data generated by IoT devices from falling into the wrong hands to protect their privacy, as well as the privacy of their customers and partners.
- DDoS attacks: With more and more devices connected to the internet, DDoS (Distributed Denial of Service) attacks can be used by cybercriminals to bring IoT devices to their knees in order to disable a critical service.
- Botnets: Vulnerable IoT devices can be hijacked by cybercriminals and used as bots to target other organizations and amplify botnet attacks.
- Ransomware: It takes just one unsecured IoT device for an attacker to successfully execute a ransomware attack on the entire network, encrypting data on hundreds of devices and demanding a large ransom to decrypt them.
- Sabotage: The goal of some IoT attacks is to cause as much damage as possible to disrupt the target organization.
Because vulnerable IoT devices often go unpatched for months and years (if they ever receive a patch at all), organizations must approach IoT security proactively and learn how to protect themselves.
How Can Organizations Integrate IoT Devices Securely?
For organizations to integrate IoT devices in a secure manner, they must create a culture of security awareness, especially if they allow employees to bring their own internet-connected devices with them to the workplace. Employees should be familiar with the major IoT security risks and understand their role in protecting the organization against them.
While employee security awareness training can go a long way in laying the foundation for security, there’s more that both individual employees and organizations can do to keep IoT attacks at bay:
- Password policy: It’s important to have a sound password policy for integrating IoT devices into the organizational technology ecosystem. IoT devices should be required to use unique passwords of sufficient length to prevent brute-force attacks. The UK decided to go as far as to ban default passwords in IoT devices, and it’s possible that other countries will follow suit. Until then, it’s up to organizations to ensure that their IoT devices are using strong passwords.
- Network monitoring: All IoT devices should be monitored and analyzed to spot anomalous traffic indicating that something malicious is happening on the network. Some of the tell-tale signs of an ongoing IoT attack include large numbers of files being transferred to an unknown address, large numbers of files being encrypted, and any unusual increase in the number of failed login attempts. Installing an AI-based endpoint security solution can help reduce the number of false positives.
- Patches: While it’s the responsibility of IoT device manufacturers to release security updates for their devices, organizations must ensure that their devices are patched regularly. IoT devices that no longer receive any security updates should be isolated from the public internet and/or replaced with more secure alternatives.
The Internet of Things offers many exciting benefits, but it also comes with serious risks that all organizations must properly address to maintain a strong cybersecurity posture. Since the IoT is here to stay, now is the right time to face the challenges it brings head-on to turn it into an important competitive advantage.