Cloud image of various Wi-Fi enabled devices.

IoT Security: Threats, Risk Assessment, and Best Practices

How the Internet of Things adds an extra layer of risk assessment for businesses.

Technology experts estimate that by Internet-enabled devices, soon to surpass smartphones, will number over thirty-billion objects by 2020. This Internet of Things (IoT), which includes objects such as thermostats, production sensors, and kitchen appliances, provides one of the top opportunities for businesses hoping to gain an edge in the data age. But it has also opened the door for new security threats—ones which are harder to ward against due to the inherent flaws in many IoT devices.

Security breaches are on the rise. Among the most notable have been those that exploit weaknesses in an IoT device to gain broader network access. The most famous IoT security attack came in 2016, when the Mirai botnet attack used old routers and security cameras to level a massive DDoS attack against the DNS provider Dyn, bringing down Twitter, Reddit, CNN, and Netflix in the process. More recently was the ignominious case of a hackers accessing a casino’s data through its Wi-Fi enabled fish tank.

Some estimates suggest that nearly 50% of U.S. businesses have experienced a security breach related to an IoT device. Yet in spite of this evidence, very few businesses have made the necessary steps to protect themselves from this kind of security breach. Here’s what you need to know to help secure your business.

What part of the Internet of Things needs to be secured?

It can be easy to diminish the security threat of IoT devices if you only think of the device itself. After all, what’s a hacker going to do if they manage to gain control of your office thermostat? Change the temperature? It hardly seems like a serious threat (although it could be).

But securing the Internet of Things is about much more than the devices themselves. It’s also about securing where and how IoT devices connect to your network, how they process and store data, and even their user interface.

Viewed in this light, an IoT device can compromise your data security by providing a backdoor entry to your network. If the device gathers and stores customer information, it can put that data at risk. And if a hacker gains control of your user interface, they can monitor the information you enter (such as user names and passwords), or even prompt you to enter information you shouldn’t.

In short, IoT security isn’t just about the device itself, but the access that device provides.

What IoT security best practices can your company deploy?

One of the factors that complicates IoT security is that many of the most important measures are in the hands of the device manufacturers themselves. These manufactures may leave default login credentials in place, which can be exploited by hackers. They may not properly encrypt data as it passes from the device to your network. Or, they may prefer to invest their resources in developing new technology rather than releasing security patches and updates for their old devices.

Manufacturers can easily address many of these security weaknesses if given the appropriate incentive to do so. However, some IoT security challenges are more difficult to overcome. Many IoT devices also don’t have enough memory and processing power to download and install updates. And, because the lifespan of IoT devices tends to be significantly longer than that of your typical laptop or smartphone, it may be practically unfeasible (or impossible) to provide ongoing support of the device’s lifespan.

With all these barriers, how can you, the consumer, follow IoT security best practices to keep your business safe? For starters, you can research IoT devices before you implement them and make inquiries about the manufacturer’s security protocols and software support. This will increase consumer demand for IoT devices, thereby increasing incentives for manufacturers to improve. However, you don’t need to wait for the IoT industry to change to protect your business. Here are a few security steps you can and should follow to protect your network from exploitation.

1. Keep your software and passwords up to date.

As we already discussed, many IoT manufacturers don’t release security updates for their devices. However, if they do, you should install them as soon as possible. Similarly, change any access passwords when you first install your device, and follow safe password protocols (such as multifactor authentication) when possible.

2. Use firewalls.

You can use firewalls in two ways to help prevent an IoT security breach. The first is by setting up firewalls around the systems you want to protect. If an attack breaches part of your network, your most sensitive assets can remain secure long enough for you to detect and respond to the threat. The other method is to surround the weak point of your system with a firewall, so that any breach is contained to that device. Of course, this may have limited value, as the device in question may need to communicate with your network in various ways that a firewall might prevent. However, when possible, this is a good first step.

3. Limit connectivity and access.

One way to minimize the security threat IoT devices pose to your network is to limit their connectivity. For instance, your device may not need access to the open web to function. Similarly, it may not need to connect to other IoT devices. You may also be able to control permissions for what your devices can download or what they’re allowed to share. You may want your printer to automatically order more toner when it runs low, but you don’t need to automatically link with every WiFi-enabled device on your network.

4. Set up a separate network.

Another approach is to set up a separate network for your IoT devices. Just as you offer one network for your guests and another for your employees, putting your IoT devices on this separate network adds a barrier between your device and the data it can intercept should its security systems be compromised.

5. Monitor your network for suspicious activity.

You may have noticed that many security measures are about mitigation rather than prevention. While you can take steps to harden your system, it is difficult if not impossible to safeguard against every potential hole in your system. What you can do, however, is slow an attacker down. Even if they gain access to part of your network, you can spot their attack and respond efficiently.

This is what breach detection monitoring software is designed to do. Suspicious activity could include an unusually slow network, excessive activity at unusual hours from a normally dormant device, rapid changes in file names, or attempts to access other areas of your network. You may not be able to stop every attack. However, the faster you can shut one down once it occurs, the more you limit the overall damage.

IoT Security is not perfect.

No security measures are future-proof. Technology changes. New systems typically bring higher security for known problems while also creating new weaknesses. Because of this, it is important to treat security as an ongoing project rather than a once-and-done deal. Furthermore, you can set up an excellent security plan for your current network, but nothing will replace due diligence in monitoring your network, responding to security threats, and reporting breaches in a timely manner.

If you need help assessing the security your current network, we can help. We are well-versed in many industry security compliance standards, including PCI-DSS, HIPAA HITECH, SEC and SOX. And, if your company needs to meet the new NIST 800-171 standards, we can help with that, too. Contact us today to get started.