3 Ways Businesses Can Address IoT Security Failures

I watched a Twilight Zone marathon over the New Year’s weekend, and it got me wondering about today’s Internet of Things (IoT). Are “Things” really taking over our world, and if so, how can we peacefully coexist with them or even prosper together?

The IoT is really just a fancy way of saying that technology is becoming more pervasive in everything we use, from sensors to thermostats to our trusty office gadgets. But with such pervasiveness, where does security come in, if at all?

Quite frankly, it doesn’t in many cases today, because the production of these devices has far outpaced the ability to manage and secure them. And without a central place for businesses to manage their IoT devices (passwords, logins, activity, etc.) and no automated way to detect security issues,  there will be gaps and attackers will find a way in. That’s how the early days of cable modems looked, and now we’re seeing the same trend with newer devices. We’re simply repeating history.

It’s easy to say that manufacturers of these devices should just invest more in security, but if this ever happens across the board, it’s going to take some time. In contrast to a software-defined world, it will take years to build any kind of useful security measure into manufactured devices. As we start out in 2017, let’s take a look at what that means for businesses in the meantime.

How is Security an Issue for IoT?

Malware strains (and other threats) are being specifically designed to target IoT devices because it’s so easy to launch an attack from these unprotected technologies.

One particularly dangerous strain is called Mirai, and is designed to launch botnet attacks from IoT devices worldwide. In fact, the disastrous DDoS attack that happened to Dyn, a major internet infrastructure company that powers popular sites including Twitter, Amazon, Tumblr, Reddit, Spotify, and Netflix,  was executed with a Mirai botnet attack originating from IoT cameras manufactured in China.

The criminals behind this attack took advantage of IP cameras developed by the Chinese company XiongMai Technologies, which had no security measures built in. In fact, the cameras were such an ideal platform to launch botnet attacks that virtually the whole product line has become a launchpad for this type of malicious attack. What a perfect disaster!

Naturally, XiongMai’s cameras were recalled and  customers were infuriated. But far from turning the tide, this incident is merely the latest in an ongoing wave of attacks and recalls on IoT devices, and it underscores the need for us to develop best practices for protecting ourselves against the vulnerabilities created by IoT devices.

Think of all the IoT devices you use in your office that listen to the words you speak, collect data about your environment, store information about you, and so on. That’s a lot of information — some of it quite personal, and considering that most devices don’t offer any security guarantee, there’s a lot up for grabs.

But it’s not all bad news. The IoT offers a great deal of efficiency, convenience, and intelligence for companies. IoT devices can be our ally in many ways, so long as they aren’t hacked. To protect against IoT security threats, businesses need to add their own layers of security. Here are a few ways to make sure any IoT device you use is as secure as possible.

1. Employ Security Best Practices

Hopefully your company’s internal policies already encourage a certain level of security hygiene for servers, applications, and accounts. This often includes password complexity, user permission policies, production access rights, and so on. (For more best practices, see our Cloud Security Playbook: Best Practices for Today’s Volatile Threat Landscape.)

Apply those same best practices to your IoT devices. When you set them up, mandate that users employ complex passwords, only give access to those who need it, dedicate a person to be responsible for managing users and their activity on the devices.

2. Continuously Monitor for Malicious Activity

Next, you should be ready if an attacker tries to get through a device and onto your company’s systems.

Let’s say you have a high-tech IoT toaster in your office kitchen that alerts via email you when your toast is ready. While you may not be able to directly protect the toaster itself from a security attack, you can help protect the things the toaster communicates with (e.g., your email server). So if a botnet tries to come into your network through your toaster, you need to be able to detect it using security monitoring before it can do any damage. (Sound too much like science fiction? Take a look at this story about a hacked tea kettle.)

Monitoring is important not only for protecting your own company, but others as well. As the IP camera botnet attack showed us, IoT devices can be used to launch other attacks, too. So just by plugging a device in, you could be opening the doors for an attacker to use it to then attack another company, much in the way the Dyn attack played out. Monitoring can help detect malicious activity like this, whether it’s directed at you or not.

3. Weigh the Risks: Nice-to-Have Technology vs. Big Security Risk

At the end of the day, you’ll want to determine whether the benefits of your IoT devices outweigh the potential security risks. While you’re probably not going to throw away your sensors or robots anytime soon (and that’s fine), just choose wisely where and how you use them.

For example, if you want an Alexa in your office, it might not be a good idea to place it in your board room, or any place where sensitive conversations could happen, since you can’t guarantee that it won’t be tapped into. If you’re having a hard time figuring out a place it could go that wouldn’t be in the crossfire of confidential conversations, then you need to decide whether having it in your office is worth the benefits, given the potential security implications. (For interesting insights into the ethical and legal complexities surrounding data that is collected by virtual assistants, take a look at this article.)

Reminder: If Security Isn’t Automated, It Won’t Be Effective

Just about every security incident post mortem proves that if security isn’t easy and automated, there will be gaps, and those gaps will be found and exploited.
Digital security should be the new form of consumer protection and safety, but it won’t be until governments mandate that manufacturers make this a reality for IoT devices. In the meantime, the onus is on the users of IoT to add the necessary layers of protection. And while the best practices listed in this post are a great start, to ensure that the doors are truly locked and our data is safe, we need to automate security so we can focus on all the other benefits that  IoT brings to our work and personal lives.