Internet of Things (IoT) technology has transformed how businesses of all sizes operate. IoT allows SMBs and enterprises alike to collect, analyze, and act upon a high volume of business intelligence that wasn’t previously accessible using existing control and management systems.
The market for corporate IoT technology has grown steadily thanks to the potential those powerful analytics capabilities offer businesses. Gartner Research estimated that there were 3.96 billion enterprise and automotive IoT infrastructure “things” online in 2018, 4.81 billion in 2019, and 5.81 billion devices estimated to be online by the end of 2020.
However, that steady growth has drawn increased interest from hackers looking for new targets they can exploit to crack open corporate networks. Organizations need to know how to secure IoT devices as effectively as possible. Good IoT security will help businesses unlock their new devices’ full potential and protect themselves against potentially major costs that stem from security breaches.
In these early years, IoT devices are often types of equipment that have never before had network connections and embedded operating systems. In other words, IoT devices can be attacked just like desktop computers and servers can be.
To understand how to effectively secure IoT equipment within a given organization, you first need to understand the unique challenges IoT technology creates for businesses. Some of the most notable challenges include:
The explosive growth of the business IoT market has driven many manufacturers to prioritize ease of setup over security. Many IoT devices are configured for open network access and have well-known default passwords.
The burden is often placed on network administrators to secure these devices at the network level. In other words, those administrators must stop threats from reaching IoT devices in the first place.
Because they’re so easy to set up, businesses also may not have a good sense of all the consumer IoT devices that their staff has brought into work. Staff may not realize that they’re creating security vulnerabilities when they set up a consumer-grade IoT device to make their workday easier.
Deploying a large number of IoT devices greatly increases the volume and complexity of your network traffic. That makes network monitoring harder. Hackers like to hide their malicious behavior in big spikes in the day-to-day flow of routine network traffic.
You may think it is no big deal if a less important IoT device—like, say, an air quality monitor—becomes compromised. But hackers regularly look for low-hanging fruit to compromise so they can launch what is known as a lateral attack.
In a lateral attack, hackers start by compromising a less important network device. Then they move laterally across a network, disguising their attacks as legitimate network requests from that device to compromise the next most vulnerable device, and so on until they reach a valuable target. For example, that air quality monitor could compromise a technician’s laptop, which compromises a file server, which the hacker picks over for valuable financial data.
Networks of zombie IoT devices taking down the internet may sound like science fiction, but that has already happened, most notably during the Mirai botnet attack in 2018. DDoS attacks are some of the most destructive attacks to make use of IoT targets and some of the easiest to pull off.
In a DDoS attack, hackers take control of swarms of vulnerable IoT devices around the world and bring them under their central control. The hacker then forces that distributed network—the botnet—to overwhelm a target with garbage internet traffic, sending the target offline.
Data breaches resulting from IoT compromises can be costly. IBM’s annual study found that, on average, a data breach costs a US business $8.64 million to remediate.
These are just some of the major risks IoT devices pose. Even less common IoT security threats, such as skimming and eavesdropping, can still require significant resources to remediate.
Good IoT security is relevant for business sectors from healthcare to manufacturing to finance to IT. Here are eight best practices we think businesses in every sector should follow when they deploy new IoT technology.
First things first, perform a complete audit of all IoT devices on your network. You may not have a good sense of what devices different departments have deployed on their own. Also, remember, because consumer IoT devices are so easy to set up, staff may have brought in personal smart speakers, fitness trackers, and other connected devices.
You don’t have to connect an IoT device to your network just because you can. IoT devices may be able to do useful onboard analytics without needing to connect to local or cloud servers. When it doubt, leave it offline unless there is a specific networked service you need.
Just as with laptops and mobile devices, your IoT devices need strong passwords, even if they’re only used by one or two administrators. Always change the factory default password; those are usually documented online and easily found by hackers.
Password strength usually must be enforced by corporate policy because not many IoT devices enforce it in their software. A good password policy should cover:
Many IoT devices do not have built-in automatic update features. So to keep devices current with the latest patches and firmware, you will need to set a manual update schedule. The exact update frequency you need depends on the level of risk a particular device poses for your organization. For reference, in IT, routine software updates are usually carried out monthly.
Adopt a similar update schedule for your more vulnerable or essential IoT devices. Less essential devices can be updated quarterly. However, be prepared to perform urgent IoT updates within 1-2 days should a critical vulnerability be announced.
You can’t rely on endpoint protection software for IoT devices. Most don’t have the types of operating systems that can support that.
You need network-level security tools that monitor the flow of traffic from these devices in real time. They can identify suspicious activity “in the wild” on your network. Smart security monitoring tools can also take action in real time without human intervention to stop attackers before they do significant damage.
Ninety-eight percent of all network traffic produced by IoT devices is unencrypted. A hacker with a toehold on your network can easily see what information is coming and going from these devices, including account information and other sensitive data about your infrastructure.
Network segmentation divides local networks into separate segments, or subnets, for different types of traffic. Businesses deploying new IoT devices should consider setting up a separate IoT segment to keep that unencrypted traffic safe. That will make it much harder for hackers to spy on unencrypted traffic and jump from compromised IoT devices to central systems.
This article may be giving you the impression that every single IoT device is a major security liability, but that is not the case. Some devices have more security features than others. Take the time to compare the security features of the different products you’re evaluating or contact experts who can inform your decision about which devices are the safest for your network environment.
IoT mobile devices, such as handheld scanners and tablets, are valuable targets for both hackers and thieves. Protect those mobile IoT assets with smart lockers.
Smart lockers physically secure your devices while connected management software gathers tracking data, so you always know who is using your mobile devices, when they’re used, where, and how. Customized lockers offer other benefits such as built-in charging, content surveillance, and workflow support.
For example, if a user reports a problem with equipment at sign out or return, the smart locker system can prompt them to deposit the device in a specially designated maintenance locker. The locker system, an IoT asset itself, sends an automatic notification to service technicians asking them to retrieve the device for troubleshooting.
IoT technology can give your business the edge it needs to thrive in tomorrow’s economy. But you need to tread carefully. Both the key strength and challenge of IoT technology is its ability to cross boundaries and make new connections.
Internet of Things devices aren’t just IT assets, nor are they just business or security assets. They’re all of those things at once. Your entire organization can benefit, but your entire organization must know how to secure IoT devices and work together to manage them securely and efficiently.