IoT devices can pose a serious threat to network security. What can businesses do to protect themselves? In a recent article on IoT security, we explored how IoT devices can provide weak points of entry to business networks, exposing them to malware and attacks from cyber criminals.
The introduction of connectivity to devices not originally designed for the IoT, devices created by developers without experience in high security environments, and the ease of finding connected devices via internet searches has turned the average IoT product into a fundamental threat to organisations.
With the availability and variety of IoT devices continuing to grow, this problem – if left untreated – is only going to get worse. But what can businesses do to make themselves more secure in an IoT powered world?
We examine five steps towards better IoT security.
Use a separate network
Businesses usually set up guest networks to separate verified, employee connections from those of visitors, so why should IoT devices be any different? For maximum security, IoT devices should operate on their own network in the workplace, and be protected by a firewall. This facilitates the monitoring and blocking of incoming traffic, making attacks less likely.
It also safeguards the core business network in the event of a security breach. The creation of a separate network for IoT items is particularly important where companies allow employees to connect their consumer grade devices – such as fitness trackers – to the workplace, which are not normally designed with corporate security in mind.
Encryption won’t prevent an attacker from infiltrating a network, but it will make it difficult for them to read any information they obtain. This is particularly important when IoT devices collect sensitive personal information, such as health or behavioural data.
Although it is an effective security measure, it’s not always possible to use encryption for IoT data, as some IoT devices simply don’t support this feature. Equally, if the business operations the data is needed for are time sensitive, then encryption may not be a practical solution. If this is the case, the use of VPNs is another useful way of restricting the extent to which data is exposed within an organisation.
Turn off unnecessary functionalities
Sometimes, our devices are capable of doing so much more than we actually need them to, and it is the same with the IoT. The trouble comes, however, when these added capabilities create security risks by increasing the surface area for a cyber attack. Smart TVs, for example, are a common presence in many companies today.
But, if they are merely used for display purposes then they don’t need to be connected to the network. Switching off this functionality reduces the attack surface for your business. The same applies to individual features built into devices, such as cameras and microphones. If they aren’t needed – switch them off. Your network security will thank you.
Follow password best practice
Good password practice is an internet security no brainer. But it’s surprising how many businesses fail to implement password hygiene, with many still allowing the use of weak, duplicate or shared passwords in their organisations.
According to a 2018 survey by LastPass, a password management company, only 45 per cent of businesses use multifactor authentication – an important line of defence in keeping devices secure. All businesses should aim for this multi layered authentication system in their IoT devices where possible, with the addition of strong, complex passwords. Access to IoT devices should also be closely guarded, with permissions granted on a need to know basis.
Be a serial updater, and review the back end
Just like the pieces of firmware and software in our other electronics, that found in IoT devices needs to be kept up to date. This should either be scheduled via automatic updates as soon as they become available, or by monthly checks. I
If you have IoT devices which can’t be updated, then it is unwise to use them in business, as this represents serious vulnerabilities. It’s also important to thoroughly research the security credentials of the apps and back end services associated with the devices. If these apps have poor security, then this will translate across to your devices, your network and your business.
After the explosion of IoT connectivity in recent years, effective security is now seen as a major stumbling block to the success of this technology. If the IoT is to fulfil its potential moving forward, then it needs a serious security reboot – fast.
Although there are no real limits to what you can do to protect your business network, these five points are important steps towards securing enterprise IoT devices. At this stage, it seems businesses might just have to take the initiative themselves…