When thinking of objects in a business that pose a data security risk, a fridge or fish tank wouldn’t likely come to mind.
IoT continues to grow more and more ubiquitous, fuelled by the promise of greater efficiency and advanced insight. The idea of cyber-attack may prompt images of server rooms being hacked or company laptops being stolen, but the reality is with the rise of IoT connected devices, mundane objects pose one of the biggest risks for businesses’ IT security.
A recent 2019 Report explores key issues in data security and has identified the huge threat that the growth of IoT poses to businesses of all kinds. With an estimated 29 billion connected devices by 2022, it is imperative we understand the problem that these devices pose.
The weakest link
Through the research it became clear the number one challenge for security professionals for 2019 continues to be detecting and responding to incidents in a timely fashion. This is complicated by the increasingly important task of managing the impact of new technologies such as IoT. The report found that Australian businesses are failing to improve their security, with 89 per cent having had breaches go undetected, up 12 per cent since 2018. These new technologies are being neglected; the Security Report noted only 43 per cent of Australian businesses are currently protecting their IoT security.
With the prevalence of cyber security attacks, the focus is on well-established aspects of security that seem more dangerous. From pacemakers in hospitals to vehicles in fleets and the company watercooler, more and more ordinary objects are being outfitted with IoT capabilities. As this technology continues to disrupt industries, the mad sprint to stay connected is arriving at the expense of security.
In 2016 we saw this play out in spectacular fashion with the Mirai botnet. This botnet took a huge toll on the East Coast of the United States’ internet. The culprit of this unprecedented outage was simple – IoT enabled cameras. In a similar incident in 2017, a North American casino was hacked through their IoT connected fish tank. While having access to a fish tank may initially seem like an absurd threat, it is through these unassuming objects that cyber criminals are able to successfully infiltrate other businesses’ critical systems. A study by Qualys, referenced in the Cisco 2018 Annual Cybersecurity Report, found that 83 per cent of IoT devices now carry critical vulnerabilities and this weakness is an open door for an attack.
Mind the gap
A key reason this figure is so high is external vendors are often needed to update devices. In many cases, there are no clear indications of who is responsible for securing IoT connected objects. As more devices and ‘things’ connect to the internet, managing potential backdoor breaches frustratingly grows in importance and equally in difficulty.
Many businesses fail to realise a high proportion of internet-enabled devices are sold without in-built security. Some even lack an operating system that can support the installation of security software. Gaping vulnerabilities are often built-in weaknesses known as ‘backdoors’ that allow remote access maintenance, as well as stock passwords that are readily available online. Consequently, criminals can easily install malware on these devices and program them for future use or enlist them in a global army of bots with minimal investment. To make matters worse, the recent 2019 Report revealed 22 per cent of APAC organisations either don’t have or don’t know if they have an incident response plan to address breaches.
One example of how these issues are being addressed at the federal level is in the UK. The UK government recently introduced new laws to curb this issue of IoT device security. The new regulations will introduce IoT guidelines for manufacturers of connected devices, with a mandatory labelling system to determine the security level of an IoT enabled device. If an item falls short of these standards, it may be prohibited from sale. Regulation of this kind represents a big step forward in managing IoT security and has the potential to set global precedence.
IoT devices are on average more vulnerable than traditional IT endpoints. To beef up IoT security companies should look to employ basic endpoint security features like anti-malware, intrusion prevention and antivirus to secure networks against the barrage of attack. Another option is device authentication for IoT devices. Digital certificates or two-factor authentication ensure nobody can gain unauthorised entry to a device. Endpoint hardening can even be as easy as upgrading a product or deploying basic security patches, as many devices are built totally unpatched. The benefits of connected devices are numerous and are a necessary tool for businesses to succeed in the future marketplace. Businesses need to ensure they are vigilant in monitoring devices coming into the workplace and understanding how secure they really are.
This article first appeared on CSO Australia Online in January 2020.