Just a few years ago the idea of someone hacking into your organization’s network through your HVAC system, or through an employee’s watch would have been ridiculous. But now?
Welcome to IoT, or the Internet of Things, a somewhat casual name for a quickly-growing industry—physical objects outside computers that feature Internet connectivity to communicate and function. The number of IoT devices are growing rapidly—from two billion in 2006 to an estimated 200 billion by 2020, according to Intel. The economic impact of this emerging industry is easily in the trillions of dollars. IoT devices not only include appliances and wearable technology, but can also be found in homes, schools, retail businesses and manufacturing plants. They can connect to heart or blood pressure monitors, track inventory, record customer behavior, or facilitate communication and private database access.
Unfortunately, like everything that utilizes the Internet, these gadgets can introduce threats into a network. A study commissioned by Hewlett Packard, found an alarming 60% of the IoT devices they studied raised security concerns.
We’ve already highlighted, in early blog posts, many malicious hacker schemes (see our two-part phishing series: Part One and Part Two ) and the importance of guarding against them. But Garner analysts predict that more than 25% of all cyberattacks will involve IoT devices by 2020. So how can your employees and your organization take advantage of the convenience of IoT internet-connectivity without compromising security?
How vulnerable am I?
Security measures are often dependent on the manufacturers creating the IoT products, but security is not always their top priority when it adds cost and diminishes their profits. As a result, many manufacturers are often ignoring standard security protocols, using older and unprotected software, not incorporating standard encryption techniques when transmitting data, using simplified passwords and so on.
Hacking into a smart thermostat, for example, might need nothing more than its URL, which can then be used as a gateway into an entire network. A hacker could also, theoretically, take over the entire HVAC system and keep it set for 99 degrees unless a ransom is paid. This scenario, and the threat of ransomware in connection with IoT devices in general, is something many experts are taking seriously.
That’s why companies like Forrester Research are beginning to look closely at the problem and question the lack of solutions. In a recent study, titled The 13 most relevant and important IoT security technologies, Forrester warns “there is no single, magic security bullet that can easily fix all IoT security issues.”
Among the many concerns are:
A gap in technical sophistication
As the saying goes, a chain is only as strong as its weakest link. A complex system of connected devices introduces many areas of entry for, and without a comprehensive, end-to-end approach, used by every access point to a network, vulnerabilities will exist.
A lack of accepted standards
As global consulting company McKinsey & Company reports, “The IoT lacks well-established overarching standards that describe how the different parts of the technology stack should interact.” Larger companies are developing their own solutions, but often piecemeal and without the greater landscape in mind.
A lack of priority
For the most part, end users view IoT security as a commodity, and not a necessity. While many customers and producers realize that security is essential, they don’t want to pay for it with higher prices. That has greatly limited the spread of proper security protocols in both consumer and B2B IoT products.
It is not yet clear who will take the lead in developing end-to-end security solutions for the IoT, but the need for solutions is evident. Regulations, or at least guidelines, are needed to add clarity and compatible methods of security for all.
What can I do?
IoT security issues may not seem critical now, but they could become so if you ignore them. “When it comes to IoT and security, I think it’s nearly impossible to overstate the need and the critical nature of security readiness,” says Laura DiDio, research director at 451 Research, “Threats are everywhere. This is a situation where organizations and their IT departments are well served by being a bit paranoid rather than being lax.”
Whether your company regularly uses IoT devices on a regular basis for ‘smart’ technology, or your employees are connecting to your network with their wristwatch, you’re at risk. A partner like DYOPATH can help identify trouble spots, give advice on how to prevent problems, and provide guidance if problems do happen. Let us show you all our security solutions, from performing a desktop risk assessment to employee activity logging and analysis.