According to a new study by Kaspersky, 64% of businesses use Internet of Things (IoT) solutions and 57% cite their biggest concern about the technology is a cybersecurity breach. Yet 43% report that at least one type of IoT device used is not properly protected. While that might not be a majority, the number of IoT devices multiplied by each business adds up to a significant amount of vulnerability within the business community. And that number is growing, with the global number of connected IoT devices expected to climb 9% by 2025 (see chart).
Cyberattacks are among the most disruptive things that can happen to any business, taking valuable resources away from critical tasks and diminishing the company brand. IoT devices present an attack vector many organizations have not had to think about in the past. So, if your business is concerned about cybersecurity — and it absolutely should be — you must think beyond protecting networks and traditional devices. In the following sections we explore steps you can take to improve your IoT cybersecurity.
IoT in Specific Industries
Before addressing IoT cybersecurity, it’s important to understand how it is used in your industry. Here are a few examples.
- Healthcare. Patients with chronic diseases use wearable IoT devices like fitness trackers, pulse oximeters, and blood pressure watches to monitor their condition and send information about it to their healthcare providers. Other types of devices are used in hospitals to monitor patient status and medical machines.
- Manufacturing. To enhance manufacturing operations, IoT sensors may be attached to machinery and equipment to collect data and ensure optimal functioning. This information allows operators to plan and schedule maintenance, repair, and replacement in alignment with business processes and cash flow.
- Logistics. IoT sensors are used to monitor the movement of shipments, provide data about information stored in warehouses, and monitor warehouse and transportation conditions.
- Automotive. Connected devices enable cars and trucks to stay linked to valuable services such as safety networks, drive autonomously, alert drivers to needed maintenance, and track fleet vehicles.
- Retail. Sensor-based features enable brick-and-mortar retail establishments to provide new shopper experiences, such as optimized fitting rooms, perfectly timed information about products, and grab-and-go functionality.
Understand the Situation
In the past, the number of entry points for cybercriminals was limited. Now, the billions of IoT units in operation create additional attack vectors for hackers to enter business networks as the number of botnet DDoS strikes on IoT devices continues to grow. These attacks prevent websites from functioning, causing untold revenue and reputation loss. Other types of attacks can lead to data loss and proprietary information being shared in public or with competitors.
The first step to preventing such scenarios by ensuring robust IoT cybersecurity is to get a sense of your entire digital ecosystem, from sensors on shipping boxes or manufacturing machinery to the smart refrigerator in the break room. Because various departments may have deployed smart devices on their own, it’s important for IT to bring all this information together and create a database of every device and evaluate each device for risk factors.
The next step is to develop processes to close security gaps. The following specific actions are good starting points.
- Use a strict access policy. According to a recent TechRepublic article, “A Zero Trust approach to security assumes that every network is breached, every machine is compromised, and every user is (unwittingly or not) at risk.”
- Create a vulnerability management program. A vulnerability management program establishes a continuous process for identifying and mitigating vulnerabilities.
- Use a dedicated IoT gateway. An IoT gateway is a physical or virtual platform that connects IoT devices — such as sensors, IoT modules, and smart devices — to the cloud.
- Ensure IoT governance. This approach includes things like rigorous checks and authentication of each new device, following manufacturer guidelines, prioritizing data privacy, and ensuring compliance with security requirements.
- Develop a cyber immunity approach. Cyber immunity means IoT devices are linked through other devices without additional security functionality, making systems immune to certain cyberattacks.
Once these procedures are in place, each device must be monitored on an ongoing basis, including regular security audits.
Mitigate Third-Party Risk
Even if you’re doing everything you can to provide robust cybersecurity internally, you may encounter additional issues with third-party vendors. For example, vendor employees may have access to your networks. While you would like to think the best of them, you must treat them as you would an employee of your own, with Zero Trust measures in place. Not doing is putting your entire organization at risk.
In addition to creating processes for internal security review and repair, you must assess the security posture of companies you choose to work with and ensure they are willing to work within your security parameters. Make this step a part of the vetting process for each new potential vendor. Be sure to also review your current vendors to ensure they are in compliance with your policies.
Create a Security Playbook
Once you have recognized the specific risk factors for your industry, taken stock of your digital ecosystem, and developed procedures for mitigating internal and third-party risk, document all of this information within a cybersecurity playbook that outlines your policies. It should include how you will protect your systems, detect and respond to threats, communicate between team members, and recover data in the event of a breach.
Consider the Alternatives
So, is your IoT security robust enough? Probably not. The best way forward is to assume it’s not and go from there to determine where you are now and what your next steps should be. All of this effort might seem like a lot of work, but consider the alternatives, which include a system at risk that you always have to worry about, and the potential for a data disaster you might not be able to recover from.