Five “little” IoT security risks that are bigger than they seem

Although spending on IoT has slowed a bit as a result of the pandemic, a return to double-digit growth rates is predicted for 2021. Many businesses are investing in IoT as one part of digital transformation, using IoT technology to create a more personalized and engaging customer experience and to create efficiencies on the production side. 

However, concerns about IoT security risks remain a high priority for many enterprises. According to a recent survey, half of the organizations participating said that ensuring data, network, and device security is the biggest challenge to successful IoT adoption.

There are many different ways to view IoT security issues. For example, you can look at the most common types of attacks, such as ransomware. Or you can focus on how IoT security technology can be best used to protect your business and customers.

In this article, we’re taking a different approach. We’re looking at five of the “little things” we see companies often overlook. These small items that can fall under the radar are actually serious IoT security risks that need your attention. 

5 “little” enterprise IoT security risks that are bigger than you think

Inadequate security testing 

Failure to conduct proper security testing for your IoT devices, applications, and networks can have serious consequences. When vulnerabilities are left unresolved, it is easy for attackers to gain access to your network and your data. 

A breach can result in substantial fines, not to mention the cost associated with repairing the breach. Additional financial damage can affect you for years, due to lost future business. People remember when a breach occurs. The breach actually becomes your “brand”—this one event becomes the first thing that comes to mind when someone thinks of your company. 

The best way to make sure this doesn’t happen to you is to focus on security from day one. We have written about this before; we are saying it again because it is so important. 

IoT security must be an integral part of the design and development process. Even after deployment, security must remain a priority. IoT devices, applications, and networks should be tested for security vulnerabilities at all stages of the product life cycle. 

It’s also important to make sure IoT security testing is comprehensive and addresses security at all levels, including: 

  • Hardware—IoT sensors, edge devices, gateway hardware, chips, circuit boards 

  • Firmware—Software updates, password and key storage 

  • Network—Wireless communications technologies, encryption, authentication

  • Web applications—APIs, authentication, and session management

  • Cloud hosting—Operating systems, network infrastructure

An attacker only needs to find one door into your network, no matter how small. For example, attackers got into a casino network through a fish tank. Every piece and component in an IoT system is important and deserves thorough and comprehensive security testing to make sure everything is secure from an attack. 

Irregular updates 

There have been several instances in which a security breach could have been avoided by installing a simple update or patch. We all remember the Equifax breach that could have been prevented had the company installed a patch that had been available for months. 

A survey discovered that 27 percent of organizations reported they had suffered a breach caused by unpatched vulnerabilities, proving that many individuals and organizations still don’t do a proper job of staying up to date on security patches. This is particularly true when it comes to individual IoT devices. 

Many of us use personal devices for work and connect those devices to the company network. If we don’t keep our devices up to date on the latest patches, an attacker can gain access to confidential information. 

The same holds true for smaller, seemingly insignificant IoT sensors that may be collecting data on a factory floor or remote agricultural setting. These smaller IoT system components should be treated with the same level of respect when it comes to maintenance. 

Available patches and updates should be installed as soon as they are available. This is the best way to make sure a small door isn’t left ajar into your larger network. 

Reliance on default passwords 

While we all know we should change the default passwords that come on IoT devices, many of us don’t take this simple (yet important) step in IoT security. The Mirai botnet and Satori variant of Mirai are both examples of attackers taking advantage of default username and passwords to wreak havoc.

Developers of IoT devices can also help users be protected against default password attacks.  The most common method for doing this is to generate a unique username and password combination for each device during manufacturing. With the username and password no longer the same for all devices, users are better protected even when they don’t change the device’s default login information.

But organizations cannot rely on IoT device manufacturers when it comes to security. Default login credentials should be changed immediately upon issuance of a device. Multi-factor authentication is an even better way to amp up your IoT security, requiring users to take several steps to log in. 

This can even be done through embedded sensors for those systems and applications in remote locations. While it can add to the cost of your IoT system, it is an investment that pays for itself by protecting you from attack. 

Inadequate data encryption 

IoT components connected to your network may, of course, be turned on or off. But the norm is that, at any given time, at least a portion of your components are collecting data, storing that data, and sending all or some of that data up to the cloud for processing and storage. 

Data privacy has become a hot topic over the past few years, with regulations such as General Data Protection Regulation (GDPR), California Online Privacy Protection Act (CalOPPA) , and the more recent California Consumer Privacy Act (CCPA), forcing many companies to take extra measures to keep data secure. Other regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) and HIPAA require companies to take certain precautions when handling financial or personal confidential information. 

When working with clients, we always place a high priority on data privacy, whether or not the client is subject to certain regulations. Customers expect their information to be secure. Even seemingly insignificant data about your company has the potential to give a competitor or hacker an advantage. 

When it comes to securing IoT data, all of the data stored and transmitted in an IoT system should be encrypted, both at rest and in transit. Similar to multi-factor authentication, encryption can add to your total project cost as it requires more computing power. However, it is absolutely worth the investment. 

Neglect of the remote employee 

Remote work has long been on the rise, but it has hit record numbers in our pandemic-affected world. Forecasts predict the remote work trend will continue, even after the pandemic calms down. 

We all need to be aware of the impact remote workers are having on security. There has been an increase in attack attempts since the pandemic hit, including hacking and data breaches. 

As more employees work from home, you’ll want to reassess policies for remote work to make sure that devices are secure and attackers cannot gain access to the corporate network. There are several steps you can take to make sure the remote work environment doesn’t make your business more susceptible to attack:

  • Employees should take an inventory of all smart devices at home, including what type of data it stores. 

  • Use two-factor authentication on all home smart devices.

  • Disable unnecessary functionality on devices (for example, if you don’t need to review the footage from your security camera, you don’t need to store it).

  • Disable microphones and cameras on virtual assistant devices when conducting conference calls for work. 

You’ll need to impress upon employees the importance of taking these measures to keep the corporate network secure. A cybersecurity policy should outline the importance of IoT security and the steps each employee must take. 

Additional tips for remote work IoT security include:

  • Make sure employees are only accessing the corporate network through a secure connection. A Virtual Private Network (VPN) should be used at all times to protect information stored on company laptops and machines. 

  • Prompt employees to change passwords on a regular basis and create strong, unique passwords.

  • Leverage encryption software to protect the data on employee devices. 

  • Require up-to-date firewall, antivirus, and antimalware software on all employee devices used for remote work. 

  • Give IT the ability to wipe the data on a device remotely in the event it is lost or stolen. 

It can be tempting to neglect these “smaller” IoT security issues, but reality has shown they can have a serious impact on how secure your network and data are (and on your reputation). We highly recommend all organizations dedicate the necessary time and resources to make sure all of these IoT security risks are properly addressed, so you can be confident your company is doing everything possible to protect against an IoT attack.