In-depth

IoT privacy and security concerns

We take a look at what's needed to really secure internet-connected devices

In recent years, the Internet of Things (IoT) has become ubiquitous. While just a decade ago it was a relatively new concept, you can now connected almost everything - from your fridge and coffee machine, to your security system and smartwatch - to the internet. 

While IoT devices bring numerous benefits, there are also a number of risks associated with these internet-connected gadgets. Often, they present security holes, which allow hackers to break into them, infiltrate the network and steal confidential information. This becomes comes even more of a concern when these devices are running on your businesses' network. 

So just how secure is the IoT, should you ban all IoT devices in the workplace or should you instead opt to monitor and manage the risk?

A clear and present threat

It would be foolish to think that internet-connected smart thermostats or other smart devices do not pose a security threat for organisations. There has been a lack of security-first thinking when developing IoT products and this makes them very much a threat to your business's network.

Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack and Visa, become unavailable across Europe and North America in October 2016. 

These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018

Daft defaults

Most IoT vendors don't put security at the front and centre of development. Unfortunately, a lot of vendors and the technology industry pass the blame onto users for not making enough efforts to secure devices by changing passwords from their defaults. Sometimes the manufacturers get the security fundamentals seriously wrong by hard-coding easy-to-guess passwords into devices.

Admittedly, users don't change default passwords to something more difficult to guess, but why shouldn't manufacturers offer difficult-to-hack, unique default password instead?

Users can all too easily be blamed for not updating systems with the latest patches, but these updates aren't that frequent and only arrive after a device has already been hacked.

IoT devices are made to be easy to use and in a lot of cases, security is developed by those who don't possess any reasonable degree of security knowledge instead of these devices being developed alongside security professionals that understand the consequences of bad security.

Added to that, the IoT industry is in no way standardised or regulated, meaning it's all a bit of a confusing mess for end users. That might change with the government's bid to encourage IoT device makers to take a privacy-by-design approach to building products, something that government might seek to make law if device makers don't heed the advice.

Enterprise attack surface evolution

It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, is already starting to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020