This month is National Cyber Security Awareness Month, which encourages companies and individuals to make better cyber security choices. With this in mind I want to emphasise the dangers of the Internet of Things.
IoT is all about sharing information across numerous connected devices, so that everything works seamlessly and in harmony. With this convenience comes vulnerability.
Using IoT devices is like opening a can of worms when it comes to cyber security. I’ve come across numerous clients who have suffered a security breach because their IoT device wasn’t set up correctly. This connected ecosystem means that if an attacker gains access to one, they can actually gain access every other device in your business. Scary right?
I’m not going to deny that IoT offers amazing efficiencies for your business. Brands all over the world are jumping at the chance to utilise this powerful technology in innovative ways, before their competition.
With so much excitement and buzz around IoT, it’s easy to want this shiny new tech and let it loose within your organisation without considering the potential drawbacks.
We are all used to scrutinising the security of websites before they are launched, and ensuring that employees are clued up on potential online security risks. But, would you consider doing the same when you are adding a new coffee machine to your office kitchen? Yup, believe it or not, your smart coffee machine or kettle could be compromised and used to spy on you.
The last few years have seen numerous high-level security breaches utilising IoT devices. Verizon Wireless released a report that included an unnamed university that saw more than 5,000 IoT devices attacked.
The Mirai botnet attack also saw 100,000 IoT devices infected across 164 countries. This botnet was used to attack impacted major brands like Netflix, Shopify, Twitter and Etsy. The reality is, IoT devices must be secured before its connected to the internet.
At Secarma, we advise our clients to question whether the device NEEDS to be connected to the internet or if it NEEDS to talk to other devices. If it does, the following tips will help to improve your IoT cybersecurity.
- Don’t connect unnecessary devices to your network
That smart coffee machine will need to order supplies online. It will not need to access your databases and network file shares. Reduce the risks by not connecting the device to your corporate network.
- Check if it’s web facing (greater risk than internal network only)
If the device needs to present a service directly on the Internet (such as a remote administration interface), then it is at increased risk of attack. Anyone with an Internet connection will be able to target it and so you must be certain of its level of security. Most administration interfaces in IoT devices have not undergone robust security analysis and pose a genuine danger.
- Ensure password security
A substantial proportion of IoT security breaches have come from insecure password practices. Most devices will have a default password. Attackers scour the internet looking for user manuals and add new default passwords into their wordlists. They love nothing more than a password which is true for every device which comes out of the box.
- Check if it has the ability to update firmware/install patches
Even the most robust devices will eventually have some insecurity or functionality bug. The natural solution to this is for the vendor to provide an update. If your device has no way to update itself then it may become obsolete due to security flaws.
- Disable Unnecessary Features
Most vendors strive to add features to their device and many will turn them all on out of the box. Each feature is something that can be attacked. For each IoT device you install the best practice would be to disable as many features as possible. Review the need for everything and disable what is not required.