5 Ways To Secure Your Business From IoT-Related Data Breaches

The IoT (Internet of Things) has garnered massive popularity over the past few years. Businesses around the world are leveraging the power of the IoT to put efficient processes in place, enhance asset utilization, increase productivity, and cut costs. However, it should also be assessed what risks are associated with using these devices and how to address these risks.

The Ponemon Institute asked 605 security experts about any data breaches related to IoT devices in their organizations. In 2017, as many as 15% said yes, their organizations had experienced a cyberattack or data breach due to unsecured IoT devices within the past year. That number increased to 21% in 2018, suggesting a rise in IoT-related security breaches.

Irdeto surveyed 700 organizations from different industries and found out that 80% of them experienced IoT-related cyberattacks in the past 12 months. 90% of these attacks resulted in operational downtime, and compromised data/security of the end-user.

These attacks not only question the integrity of IoT devices, but they also put a massive amount of data at risk. The biggest problem with IoT devices is that there is no set standard of security because of their wide, non-standard purposes.

Securing these devices requires securing their infrastructure that combine to make up the IoT system. These include hardware, sensors, connectors, gateways, and application software.

A typical IoT system needs to be divided into 4 different parts before it can be assessed for threats. These parts have different attack surfaces that need to be addressed to secure the network.

  1. Device – Attack surfaces include memory, firmware, USB ports, web and admin interfaces, etc.
  2. Communication Channels – Attack surfaces typically include BlueTooth and Wi-Fi.
  3. Cloud Interface – Attack surfaces may include poorly encrypted data, default credentials, and weak passwords that are more vulnerable to cyberattacks and security threats.
  4. Application Interface – The security level of these apps is as good as the developer developing them and their focus on security. For instance, a skilled developer may create a poorly secured app if they work in an organization that doesn’t focus on security. A poorly secured app will have numerous attack surfaces.

Even though there are many different attack surfaces, as mentioned above, organizations are continually increasing the use of IoT devices. Healthcare, food production, manufacturing, finance, and energy are some industries IoT has remodeled in the past few years.

For instance, IoT devices have enabled remote monitoring of patients in the healthcare sector possible, enhancing the potential to keep patients healthy and safe, while empowering doctors to deliver superlative care.

Another great example of how the IoT has transformed the way industries work is in industrial manufacturing. IoT has taken intelligent devices and networked sensors and put those technologies to use directly on the manufacturing floor, collecting important data to drive predictive analytics and artificial intelligence.

With such a great response, even the manufacturers are rolling out new devices in short periods. The IoT industry was $190 billion in 2018, and it is expected to reach $1102.6 billion by 2026.

This rapid demand keeps developers on their toes to make the devices more and more stable, sometimes overlooking the security part.

The number of devices is directly proportional to potential data breaches. Not just data, the scope of IoT devices goes beyond that as they are capable of actual physical attacks.

For example, if there are IoT security cameras in an organization, they can be hacked to get a blueprint of the floor plan to carry out an organized heist.

With such precarious implications, securing IoT devices has become essential for any organization. Every CISO (Chief Information Security Officer) should be aware of the following practices that can help them secure IoT devices on their networks and minimize the possibility of an attack.

1. Compile A List Of IoT Devices

It is essential to know which devices are connected to your network and what their uses are. While all devices need to be secured, you must prioritize the devices that handle the most sensitive information.

During this discovery audit, you may find some devices that shouldn’t be on your network. These devices could be your employees’, or your partners’ personal assistants, or smartwatches that connected to your secure network.

These devices may have had temporary connectivity, but somehow, they received permanent access. To help secure your business from IoT-related data breaches, identify any such devices and remove them from your network or segment them into a different untrusted network.

2. Build A Collective And Secure Network Framework

There are various stakeholders of IoT devices, and any plan to secure these devices will have to be a collective effort.

Business units will have to work together to secure the devices with multi-layered protection to thwart attackers. At a minimum, the security layers will delay an attacker allowing time for detection and response to a given attack.

It should also be noted that the devices that hold the most sensitive information should be on a separate network altogether. The better you can protect your devices from the network; the more your network will be protected.

3. Inspect And Prepare Your Vendors

Businesses that provide goods and services to you can also cause security breaches on your network.

For example, the infamous Target data breach happened because their HVAC (heating, ventilation, and air conditioning) subcontractor stored network credentials on their system, which was later compromised due to an IoT-related attack.

Your vendors can put you at risk of an IoT-related data breach. Which is why it is essential to have a vendor risk management program.

Many security teams find it difficult to monitor what data their vendors and partners store, and how secure their networks are.

54% of respondents in the Ponemon study said that they are not sure if the IoT security policies of their vendors are enough to stop a breach. 44% said that the complications of IoT devices and the number of vendors/partners make this task even more difficult.

The best way to deal with this problem is to identify and test the security levels of any IoT product you buy for your enterprise.

If you find the security provided by them is sufficient, you can put it in the contract to make sure that they continue to provide the same level of security.

Test their commitment every year, and let them know of any discrepancies related to their network and system security. If they fail to fix it in the stipulated time, you can hold them liable for breach of contract and look for other solutions that are committed to security.

4. Use Certifications And Develop IoT Security Expertise

IoT vendors will go out of their way to tell you how secure their devices are. They may boast about their various certifications but be unable to provide validation because of the complex nature of IoT devices.

There are some organizations like NIST and Underwriter Labs (UL), that are developing standard certifications for IoT devices. While they may be far from a definitive result, they are working towards the same goal – to develop a standard for IoT devices that will help prevent IoT-related data breaches.

Until these organizations find a final result, IoT security should become an integral part of your overall efforts at securing your company’s network. The standards set by the manufacturers are not yet enough.

Securing OS and firmware from IoT devices, and providing API security to third party integrations are some of the most critical parts of this process.

5. Carry Out Regular Audits And Drills

Internet-related threats are developing and multiplying every second. The best a CISO can do is to regularly study these threats, and equip all devices with the latest security patches for known threats.

However, it is often difficult to patch these devices so it is recommended to have a patch strategy or be able to pull them offline easily to avoid disruptions in user experience or causing unplanned downtime.

Constant monitoring of IoT devices can also help you detect attacks at an early stage and limit the damage caused.

Cyberattack drills can also help you prepare for the worst-case scenario. Simulate an IoT-related breach through a different form of attack every time to keep your security team prepared. Document every detail, and try to beat your achievements from the previous drill to improve your responsiveness against such attacks.

No Time To Waste

Setting up various forms of security measures, like firewalls, spam filters, two-factor authentication, etc. will be of no use if you leave the IoT backdoor open.

The time has come for manufacturers to pay equal attention to the security of their devices as to any other part of their business.

At present, IoT security may feel like a completely unorganized area, and that is partially true. The more time companies waste, the more data breaches will happen because of IoT devices.

Standards for IoT security need to be set so that organizations can continue to use these devices without hesitation.

Aaron Cure
Aaron Cure is the Principal Security Consultant at Cypress Data Defense and an instructor and contributing author for the Dev544 Secure Coding in .NET course.  After 10 years in the U.S. Army, I decided to switch my focus to developing security tools and performing secure code reviews, penetration testing, static source code analysis, and security research.