The Internet of Things, or IoT, is a simple term. It refers to devices connected to the internet, supplying and exchanging data and information with other sources.
Around the home, some of the most common IoT devices are fitness-tracking watches or similar devices. Smart doorbells and thermostats also fall into the same category. In the workplace, printers, scanners, TVs, Wi-Fi connections and even modern company cars are IoT enabled, while smartphones are arguably the ultimate example.
These days, more and more people have IoT devices. Most people have several, and households and businesses will likely dozens, if not hundreds, on-site. The appeal of these devices comes from their ease of use. But what about the security risks?
They’re actually quite significant, as if just one of these devices is compromised, viruses and malware could infect everything else on the network. The sheer volume of data they collect is also a risk. For example, if a hacker gets into your IoT device, they can find out where you live, when you’re likely to be in, what time you get home, when you go to bed and what you tend to read and watch. The implications for personal and business privacy are, frankly, terrifying.
However, there are steps you can take to secure them. Here are five quick tips to help you protect yourself, your business and your devices.
Inadequate authentication and authorisation
Smart devices are designed to be quick and easy to use. It all fits in with the sleek and modern feel they’re created to have. While this leads to an exciting end-user experience, it causes significant security risks.
For example, once a smartwatch is connected to your phone (to tell everyone how many steps you did today), it’s permanently connected. You don’t have to authorise it every time you connect or even every day or week. That means your watch is like a gateway into your phone, that you’ve already approved. Any flaw in the watch’s security becomes a flaw in your phone’s security… and, by extension, your home or business security.
The most critical security prevention method is verifying that the authorisation a device or app asks for are reasonable, based on the purpose of the IoT device. For example, if a smart lightbulb asks for permission to view your bank account (to state the absurd), that should be an immediate red flag. But, if it asks to track your whereabouts so it knows when you are due to arrive home so it can switch itself on, you may be OK with that. However, you still ought to be asking what it’s going to use the tracking data for, and whether you enable that feature. So, monitoring permissions and regularly removing ones from old or unused IoT devices is essential.
So, too, is adopting a Zero Trust security model, requiring authentication from all devices with every new connection.
Lack of encryption
Fluidity in user experience and communication often sacrifices security.
A vital part of this is encryption. Any encrypted data naturally takes longer to transfer and process, as both devices (the sender’s and receiver’s, respectively) are required to encrypt and decrypt the information.
Lack of encryption leaves data more vulnerable. For instance, one of your staff members might use an IoT camera that allows them to view your data centre remotely over the internet, but is inadequately secured so that anyone can view it. Beyond this, hackers could gain access to the device, add it to a botnet and use it collectively to attack someone using a DDoS attack.
So, always use devices with encryption, making it a term of use for your business. Again, pair this with regular security scans.
Most IoT devices have very little ‘on-board’ storage so stream what they need to store to the internet to a cloud service. Hence why most IoT devices are tied to subscription services…
Cheap IoT devices also have less on-board memory and storage, and lower spec CPUs and less performant/secure encryption processors. In general, this means they offer less security. Check before you buy what encryption is supported.
Some of the most common devices without sufficient security are cheap IoT plug sockets or lightbulbs. If a cybercriminal can get into a plug socket (which often isn’t too difficult), they’ll have access to your network. Remember, most cyber criminals are looking to make money, so their goal will be to either make you pay money by using the IoT device as a bridgehead to install crypto malware on your PC, or make someone else pay money by using the device as part of a botnet.
So, ensure all your devices are set up by a professional – even relatively simple units like printers. They should check each one has sufficient protection from this kind of threat.
Outdated software/firmware
Outdated software and firmware are some of the most common ways for criminals to access your devices and network. Many people forget about regular updates and give up when old programs lose technical support. This doesn’t sound like much, but it’s a gaping hole in your security.
When device manufacturers and developers release a new software version, it almost always includes security and bug patches. Without these changes, the device is susceptible to infiltration from hackers. The update also means everyone can find out where the ‘old’ vulnerabilities are and where to attack anything that hasn’t been updated.
Turn on notifications for updates so you’re always up to date. Make it part of your daily work routine.
Bear in mind that most IoT devices are installed once and then left, and most don’t require a user to regularly log in and look at them.
So, consideration must be made at the point of purchase and at first setup.
Buy devices where historically the manufacturer has regularly released security patches and shows commitment to continue doing so. And when you first configure, use or access the device, make sure ‘automatic updates’ are enabled and set all the security features at that point. Ideally, look for a vendor that offers a feature to automatically configure it securely.
Physical tampering
Physical tampering should also be considered a real threat. Anyone entering your business could deliberately alter devices to be less secure or allow access to the premises.
One of the most effective ways to protect yourself against physical tampering is to limit access (physical and virtual). For example, install numerical code locks or identity-based access systems in secure areas. You could even give staff chipped ID cards, only allowing each person in places they’re permitted to see. These same principles can be applied online, of course.
It’s also worth thinking about whether you really need the device. Does it add any value? Is there a business case to support its use, or is it just a nice gadget to use and show off? If it’s the latter, and doesn’t offer any tangible business benefits, don’t use it.
Depending on your business, some areas might need to be open to the public (such as a shop front or the wall in front of your premises). In these cases, take extra care to protect devices from tampering with locks and protective structures.
Let AMDH help
IoT devices are great, allowing for more streamlined ways of communicating, collaborating and working. But, security must come first. We strongly encourage all businesses (and homes) to take precautions like those listed above.
AMDH Services provides expert IT consultancy services. We’re based in the East Midlands, and we’ve made it our mission to streamline your processes and help you maximise profit.
For more information on how we can help you keep your devices and network secure from all threats, why not get in touch?
We’d be pleased to explain what we can do for you in a commitment-free, friendly chat at a time that suits you. Interested? Contact us using the form below. We’ll get back to you as soon as we can.
