IoT security risks and how to overcome them
Jul 06, 2017 Comments (0)
We all know and are (mostly) fascinated by the opportunities that the Internet of Things offers to businesses.
Controlling devices remotely and analysing related data has huge potential to develop new sources of revenue and more attractive, customer-centric services. But there are also concerns around security and particularly around data sharing. With regulations still lacking behind, what can businesses do to protect themselves?
According to insurance firm Allianz’ 2017 Risk Barometer, cyber incidents ranked 3rd in the list of global business threats, up from 15th in 2013.The key threats this involves are:
- Hackers seizing power over a variety of IoT devices, enabling them to attack corporate networks and bringing the entire IT system down, e.g. through high volumes of futile inquiries.
- IoT devices are gateways to corporate networks, which represents a significant threat where operating systems are not sufficiently protected by security updates, e.g. in production facilities.
Many IoT devices only come with one standard user name and one (not-changeable) standard password, making things rather easy for hackers. Manufacturers of IoT devices should eliminate at least the easiest access options and ensure that devices are able to handle system updates and can be controlled through independent certificates. Unfortunately, regulations and standards are not sufficiently in place yet.
While security is a priority for established manufacturers of IoT devices, others are mainly driven by winning market share. And many users also lack awareness of security concerns around IoT devices, such as which IoT devices are connected to their corporate network, or what their security settings are – including, e.g., television sets in meeting rooms. Companies should take a closer look at all their “connected devices” to ensure passwords are individualised and devices without password options are replaced.
Businesses also require “next generation firewalls” with additional functions, e.g. intrusion prevention. Application recognition ensures that only authorised staff can use specific applications. Restricting the relevant IP addresses helps to prevent devices from communicating with the IP addresses used by hackers. Consolidating devices from different manufacturers that are deployed within a corporate network in company-owned sub-networks prevents malicious invasions. And IoT devices should only ever communicate via HTTPS.
In addition to these precautions, companies should carry out due diligence to ensure the highest security levels, running daily penetration tests to check their own infrastructure’s vulnerability levels and security. External providers are even offering hacking services to identify weaknesses and recommend improvements.
The more digitisation advances, the greater the role of IT security becomes. After all, the internet is an essential part of our infrastructure – if it breaks down, whole regions and economies can come to a standstill. Clearly, IT security requires government involvement. But who certifies IoT devices and ensures that certain security standards are met? Currently there is no such certification scheme, and while certain frameworks are in place, regulating authorities are generally struggling to keep up with the pace of developments.
It should be a precondition, for example, for manufacturers of IoT devices to certify any new equipment in line of official standards. Recent cyber-attacks are urgent reminders for governments across the globe to take more actions in this area.
The Internet of Things really does harbour massive potential, both for businesses and society. It is crucial now to establish the right frameworks. If we get this right from the start, we’ll be able to drive developments in the right direction.
Darren Travers is a Senior Account Manager at AEB, responsible for key accounts in the domestic and international markets.