Recently, you have probably been reading a lot about the predictions of cybersecurity risks for 2018, what to expect and what will be targeted.
One of these topics is around IoT, Internet of Things. Much of the time these things are installed and ignored, generally speaking organisations don’t think of the potential cybersecurity around these things nor do they spend the money to protect them.
IoT can be defined simply as any computing device which could be mechanical, digital, objects etc that have their own unique identifiers and have the ability to communicate with other computers/devices or transfer data. Some examples are: Parking meters, smart TVs, smart watches, wireless presenters, thermostats, cars and the list goes on!
Apart from large organisations, the general population also use and purchase IoT devices. Generally, these devices are bought at competitively cheap prices for both corporate and personal use. Manufacturers are increasingly making these devices cheaper and cheaper to sell and attract more people to buy.
However, what most businesses don’t realise is that these devices can store or transfer personal information and they are not exactly built with the most robust and safe security mechanisms. As these devices get cheaper so does the security on them, they become more basic and simple.
People connect these devices through their homes (e.g. computers, TVs, mobile phones) and their offices and don’t realise that these devices sit on your network, and as a result have access to your information. Most of the time this is where hackers get the entry point they want into your network to snoop around before they do anything severe.
Here are a few things you can do to cure your security headache with IoT devices:
· Use a risk-driven strategy. Just like any other deployment your approach for deploying IoT devices should always follow a risk-driven strategy. This is not just a tick box exercise and should be used to consider both IT and business risks.
· Ensure you are tracking and managing your IoT devices effectively. Although this sounds easier to say then do its always a great starting point to understand what devices you currently have at home and in the office. This can be difficult to do manually if you have a large number of IoT devices so you can consider using an asset management tool.
· Observe the data flow. If you want to secure the IoT devices you need to understand how your IoT devices are interacting with the data and what data is flowing through the devices. You can check whether the data generated by your IoT devices is in a standard format or in a format which can be easily utilised by your business. Understand whether you have sensitive data flow through your IoT devices to ensure you appropriately secure the devices.
· Consider patching. Where possible patching should be kept up to date. This is not only for security reasons but also business requirements.
· Perform testing. This is also a key step because when businesses perform penetration testing (or any other security testing) the IoT devices are generally not within the scope of the testing. They should be in scope for testing to figure out where and what the weaknesses are.
· Change default passwords. This is so important, as many people and businesses will not see this as a weakness. Default passwords are set by the vendor generally to configure the device. In some cases, these passwords cannot be changed and can be difficult to change. But if you can change them then its strongly recommended that you do.
· Get up-to-date encryption protocols. You should consider encrypting your data which flows in and out of your IoT devices.
Written By Tulin Sevgin, Cyber Risk Lead, InConsult