show image

“3 things you can do right now to secure your business in an IoT world”

Oscar Arean is technical operations manager at secure cloud service provider Databarracks

The Internet of Things (IoT) industry is expanding at a rapid pace. Research from Gartner predicts worldwide spending on IoT security will reach $348m this year, climbing to $547m in 2018.

Despite this, many organisations are yet to fully appreciate the security risks an IoT environment can pose. The growing number of connected devices needs to be factored into security strategies, but there is a distinct lack of guidance for businesses looking to do so.

The UK’s Cyber Essentials Scheme is a good place to start for organisations taking their first steps into cyber security, but until it releases standards specific to IoT, it’s up to businesses to put their own security processes in place to stay protected.

Employ strict access controls

There are currently no industry-standard controls in place to protect consumers from sloppy programming and insecure devices being connected. That means that alongside the obvious benefits of connected devices, there are numerous and varied new access routes into a business’ infrastructure.

Nearly every business uses passwords to secure systems and devices, but passwords alone aren’t enough any more. Phishing attacks and social engineering techniques too are putting the human weaknesses within organisations under intense scrutiny.

Cyber security awareness training is the best way to raise security standards within an organisation, but it is also imperative that businesses implement two-factor authentication for all systems and apps, including things like SMS codes, one-time-passwords or hard token verification.

An access control register is also incredibly important. This is a list that details exactly who has access to what throughout the business and it’s important because it not only allows you to identify where unnecessary access is being given, but it can also help to narrow the search for a point of entry should you suffer a breach.

Track logins and lock down devices

You can only protect against a threat to your business if you can identify it. As such, business owners should monitor individual devices that log onto their networks through remote device management software.

Network managers should also control which devices are approved to access the network remotely and deny access to any unverified devices that could potentially pose a threat.

However, this approach has its drawbacks.

In a large organisation, limiting device access is fairly standard. It’s not uncommon for large enterprises to issue approved devices to all employees, making auditing relatively straightforward.

Small businesses, with employees often working on personal smartphones or laptops, and with much more flexibility when it comes to responsibilities and access, will face greater difficulties.

It’s important to find the balance between security and locking your business down so much that it becomes difficult for your employees to do their jobs.

Factor IoT risks into business continuity plans

Even if a business takes every precaution to mitigate the risks of IoT environments, they are never untouchable. Remember – nothing is secure in an IoT world unless it is switched off. There needs to be a continuity plan in place, which is tested specifically against IoT related scenarios.

Just like you have disaster recovery plans in place for a fire or for a ransomware attack, you should factor IoT risks into your strategy.

Define the risks and put necessary controls in place to minimise them, as well as a plan for how to deal with disruption should you experience a breach.

IoT has the potential to revolutionise the way we live and work. However, it introduces fundamental new security risks that need to be addressed.

Unless properly controlled, criminals now have the ability to hack your heating controls and check your timer schedule to see when you are at work, or see whether you’ve set a holiday programme for your lights.

They can even disable the CCTV if it’s online – and programme the kettle to make a cup of tea for their arrival!