How to mitigate IoT security risks to tap business benefits
Security concerns are preventing many businesses from adopting IoT-based technologies, but with a bit of planning, the business benefits can be realised by mitigating the risk
A growing number internet-connected technologies that make up the internet of things (IoT) could benefit businesses in a variety of ways, but security concerns continue to block adoption for many organisations, while others are more cavalier, with less than a quarter of UK firms prioritising security when investing in new technology, including IoT-based systems, to support digital transformation.
However, it could be argued that IoT systems also have the potential to boost security by enabling the use of security and access control systems that rely on facial recognition, voice printing and geo-location tracking capabilities.
Other benefits IoT-based systems include productivity, performance and customer satisfaction monitoring, inventory control, predictive machine maintenance, temperature management and access control.
To benefit from these systems without incurring unnecessary risk, businesses need to ensure IoT-based system integration is carefully planned and executed.
Underlining the need for organisations to pay attention to IoT security, a January 2019 survey revealed that only 48% European firms can detect when any of their internet-connected devices have been breached.
In the UK, this figure drops to 42%, the second lowest in Europe after France, where only 36% of companies polled said they can detect if any of their devices making up the internet of things (IoT) suffers a breach, according to the study by digital security firm Gemalto
“Businesses are set to spend up to $6tr on these devices by 2021 but, in order to truly unlock the value of IoT, you need to know how you’re going to keep your network safe,” says Geoff Burns, head of sales at IT and telecommunications firm Nice Network.
According to Burns, there are five steps organisations can take to prepare for the introduction of IoT-based systems to ensure the security risks do not outweigh the business benefits.
1. Encrypt data
Regulations like Payment Card Industry Data Security Standard (PCI DSS) and the updated Markets in Financial Instruments Directive (MiFID II) recommend that all digital data transmitted over the internet should be encrypted, which means that if someone manages to access sensitive data, they won’t be able to read it.
According to Burns, organisations should consider encrypting data using firewalls to protect IoT web applications, wireless protocols with built-in encryption and the secure sockets layer networking protocol (SSL) for online tools.
While most IoT device providers are now using encryption in design, Burns says there are still tools in the marketplace that do not come with encryption built-in.
Read more about IoT security
- Identity is key to security, but ensuring identity of all the things in an IoT deployment can be challenging.
- The IoT Security Foundation has published a guide on security for smart buildings to highlight key issues and gather feedback to inform future guidance for industry stakeholders
- The UK plans to introduce measures to require that basic cyber security features are built into Internet-connected devices.
- IoT researcher says unconfigured internet-connected devices are a largely unrecognised cyber security risk to businesses and consumers, and welcomes the increased likelihood of UK IoT legislation.
2. Improve data authentication processes
Often, the most significant issues with IoT security are not linked to the devices or tools themselves, but to the passwords and authentication methods that employees use to access their accounts, according to Burns.
“Countless people use the same password for every account they have. This means that even if someone manages to get your employee’s email password, they could also get into your IoT system,” he says.
Multifactor authentication (MFA) is widely recognised in the security industry as one of the best ways to upgrade IoT security services. At the very least, two-factor authentication (2FA) adds an extra layer of defence using a fingerprint scan or similar on top of the standard username and password combination.
“This way, even if someone steals, cracks or guesses a staff member’s password, they won’t have the additional factor needed to log into their account,” says Burns.
3. Manage hardware and software
Security for IoT needs to be implemented on multiple levels, according to Burns. From a hardware perspective, it is important to store devices securely by keeping them locked away, for example, and limiting the number of employees that can access them.
From a software perspective, Burns says organisations need to remember that IoT implementations need to be upgraded over time.
“Those responsible for IoT tools and applications will regularly new firmware updates that patch old vulnerabilities in the system, and therefore it is essential to ensure that all IoT devices are up-to-date so you can avoid any unnecessary attacks,” he says, adding that it is sometimes possible to automate this process.
4. Isolate IoT devices
For the safety of enterprise networks, Burns says it is often a good idea to isolate IoT devices. “This means that if someone hacks into a IoT device, they won’t necessarily be able to access the entire business technology stack.”
Some of the underlying architecture models available for IoT implementations include:
- Device to device: The IoT applications in the same network connect via protocols such as Bluetooth.
- Device to cloud: The IoT devices in an enterprise network connect directly to the cloud and transfer data accordingly.
- Device to gateway: IoT devices relate to a digital system through a portal, translating protocols, filtering data, and encrypting information at the same time.
Most of the best IoT security practices, says Burns, involve taking a multi-layered approach to protecting connections and devices.
5. Invest in mobile monitoring
By far, one of the most effective IoT security services that any business can invest in, says Burns, is mobile device monitoring. “While end-to-end encryption and siloed networks are essential, there’s nothing more crucial than knowing the current status of all your IoT devices in real-time,” he says.
While there “countless ways” IoT devices can benefit modern businesses, Burns says that in the light of potential IoT device vulnerabilities, it is important for enterprises to identify the risks and challenges to ensure that all internet-connected devices are secure
Surveying 950 IT and business decision makers globally, Gemalto found that companies are calling on governments to intervene, with 79% asking for more robust guidelines on IoT security, and 59% seeking clarification on who is responsible for protecting IoT.
Despite the fact that many governments have already enacted or announced the regulations specific to IoT security, most (95%) businesses believe there should be uniform regulations in place, a finding that is echoed by consumers, with Gemalto research indicating that 95% expect IoT devices to be governed by security regulations.
The UK government is among the first to make a move by developing and publishing a Code of Practice for manufacturers of consumer IoT devices in October 2018, while in May 2019, the government announced it was moving ahead with plans to ensure that IoT devices are better protected from cyber attacks by introducing measures to require that basic cyber security features are built into internet-connected devices.
However, security industry commentators have said that the code of practice and the planned standards based on that code of practice will not be effective until every IoT device is compliant, further underlining the importance of organisations recognising the cyber security threat IoT devices pose and taking steps to mitigate that threat.
Microsoft buys ReFirm Labs to bolster IoT firmware security