In-depth

IoT privacy and security concerns/issues

We take a look at what's needed to really secure the IoT...

The Internet of Things has become a fact of life. Just a decade ago, it was a new concept, with only very few devices outside of the usual mobiles and computers connected to the internet. But in the present day, you can connect almost everything, including your fridge, your security system, even your watch to the internet.

Connected devices are the norm and these devices are constantly sending data to and from the network. Whether you want your fridge to tell you when your food is about to expire, your watch to send emails to your wrist so you don't even need to pick up your phone or monitor your heart rate if you're working out, or to keep an eye on your home when you're away on holiday, the IoT allows just that to happen.

But there are some very scary risks associated with the IoT, not least the thought of someone hacking into your home and seeing whether it's empty or not. The impact of having insecure devices running on your workplace network is even more concerning. Often, they present holes for hackers to be able to break into, infiltrating the network and stealing private information.

So just how secure is the IoT, should you ban all IoT devices in the workplace or should you instead opt to monitor and manage the risk?

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A clear and present threat

It would be foolish to think that internet-connected smart thermostats or other smart devices do not pose a security problem for organisations. There has been a lack of security thinking when developing IoT products and this makes them very much a threat to your business's network.

It makes for 85,000 very clear reasons when you consider the average cost to the enterprise of a Distributed Denial of Service [DDoS] attack, according to Kaspersky Labs.

In October 2016, large swathes of the internet became unavailable across Europe and North America. Amazon, PayPal, Slack, Twitter and Visa were amongst the big names which experienced disruption. The cause? A DDoS attack against Domain Name System (DNS) provider Dyn. The real cause? Mirai.

Mirai is malware which brute-forces IoT devices, although not much force is usually required courtesy of scant (or zero) security measures. The resulting botnet was made up of around 150,000 assorted IP cameras, home routers and even baby monitors. 

Ducking daffy defaults

Advertisement - Article continues below

Most IoT vendors don't put security front and centre of development. Unfortunately, a lot of vendors and the technology industry pass the blame onto users for not making enough efforts to secure devices by changing passwords from their defaults. Sometimes the manufacturers get the security fundamentals seriously wrong by hard-coding easy-to-guess passwords into devices.

Admittedly, users don't change default passwords to something more difficult to guess, but why shouldn't manufacturers offer difficult-to-hack, unique default password instead?

Users can all too easily be blamed for not updating systems with the latest patches, but these updates aren't that frequent and only arrive after a device has already been hacked.

IoT devices are made to be easy to use and in a lot of cases, security is developed by those who don't possess any reasonable degree of security knowledge instead of these devices being developed alongside security professionals that understand the consequences of bad security.

Advertisement
Advertisement - Article continues below

Added to that, the IoT industry is in no way standardised or regulated, meaning it's all a bit of a confusing mess for end users. That might change with the government's bid to encourage IoT device makers to take a privacy-by-design approach to building products, something that government might seek to make law if device makers don't heed the advice.

Enterprise attack surface evolution

Advertisement - Article continues below

It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, is already starting to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Advertisement - Article continues below

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/technology/30736/what-is-ethical-ai
Technology

What is ethical AI?

21 Jan 2020
Visit/careers/28212/a-guide-to-cyber-security-certification-and-training
Careers & training

A guide to cyber security certification and training

13 Jan 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020