The internet of things (IoT) is on the rise to such an extent that it can be understood as the next industrial revolution. MarketsandMarkets forecasts that the internet of things will grow at a steep 26.9 percent compound annual growth rate (CAGR) from 2017 through 2022. During that time, it will expand from $170.57 billion to $561.04 billion. IDC projected that global spending on the IoT will be almost $1.4 trillion in 2021. McKinsey predicted that the total impact on the worldwide economy will be as much as $11.1 trillion by 2025.
Despite the IoT’s promise, it has had a reputation for quite some time as a problem area for security. There are various steps that you can take to reduce your risk so that your business can leverage the IoT to its full potential. (To learn about how IoT is affecting business, check out The Impact Internet of Things (IoT) is Having on Different Industries.)
Use protections against DDoS attacks.
One of the security risks of the IoT is in its botnets. In this manner, IoT devices are being utilized by cybercriminals in distributed denial of service (DDoS) attacks. Web access is key for organizations in today's economy, with firms depending on it for business continuity. The need for the internet to be live and functional at all times is becoming ever-more-pertinent as mobile, software-as-a-service, and cloud technologies are continually integrated into businesses. The good news about DDoS is that it is a threat that has been present for some time – allowing the industry to develop DDoS defense plans that contain various layers. ISP-based or cloud tools should be used in addition to protections implemented on-site.
Update the passwords.
Security standards will be similar to the internet of things as they are in other settings, and one of the key security steps to take is to outlaw default passwords. First, note that you do not have to create your own passwords since there are tools available to create strong passwords for you. If you do it yourself, basic rules for strong password security are as follows, per the nonprofit Privacy Rights Clearinghouse:
- Avoid identical passwords for different accounts.
- Avoid personal details.
- Avoid dictionary words.
- Avoid repetition or sequential numbers/letters.
- Include a few special characters (symbols).
- Go long (since brute force can easily crack a password of seven or fewer characters).
- Consider a password built with the first letter of each word in a song title or phrase.
- Store passwords on paper in a locked location.
- Implement a password manager (such as Firefox's, per the PRC).
- Change any weak passwords, and regularly change all passwords. (For a different view on password safety, see Simply Secure: Changing Password Requirements Easier on Users.)
Ensure that you do not have any IoT devices that will connect to open Wi-Fi hotspots automatically, as indicated by an April 2018 report from the Online Trust Alliance (ONA) covered by Jon Gold in Network World.
Use security as a part of the buying process.
Factor in the risk of IoT products as you think about its value. Connecting a refrigerator might not be a good idea. Since there is inherent risk in connecting any device, make sure that adding it to your network brings sufficient value to justify the risk. "We need to appreciate that every connected device is a computer with an operating system and applications that potentially have vulnerabilities," noted Darren Anstee, CTO of Arbor Networks. To decide whether the connection of a particular device is worth it, consider the cost of learning how to properly protect it.
Once you decide it does make sense to connect the type of device, consider security within the device as you look at options prior to buying. Explore the manufacturer to see if they have a history of weaknesses – and if so, how rapidly they moved to patch them.
Dig into documentation.
Peruse the terms and conditions carefully, noted Mika Majapuro of F-Secure. While few people will get excited about the idea of reading through the small-print legalese, this language will give you a clear sense of the data that the device gathers, which in turn will point to vulnerabilities.
Perform secure endpoint hardening.
Often there will be IoT devices that are operating unobserved, which represents a vulnerability. It is wise to make this equipment tamper-proof or tamper-evident, noted veteran engineer and IT executive, Dean Hamilton. By taking steps to prevent tampering, you can often keep out hackers so that they cannot take your data or exploit your hardware in a botnet.
In order to achieve endpoint hardening for IoT, you will want to have various layers in place – so that unauthorized parties have to get through numerous defenses to enter your system. Address all known vulnerabilities; examples include unencrypted transfer, code injection via web servers, open serial ports, and open TCP/UDP ports.
Apply all updates to devices as they are released.
When the manufacturer solves bug issues, those solutions should be immediately evident in your IoT network. Whenever a couple of months go by without any software updates, it is time to start being concerned and figure out what is going on. Manufacturers can go out of business. If they do, the device's security is no longer being maintained.
Partition off the IoT from the rest of your network.
If you can, use a different network specific to your IoT presence. Set up a firewall to defend it, and proactively monitor it. By separating the IoT from the rest of your IT environment, you can make sure that the risks inherent to the IoT are blocked from your core systems. One simple way to do that is by setting up cloud infrastructure within a hosting data center approved by the American Institute of Certified Public Accountants (AICPA) – i.e., audited to meet the parameters of Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) Service Organization Controls 1 and 2 (SOC 1 and 2).
Harden the network.
Assuming you are using your own IoT network, it is critical to be certain that it has proper defenses implemented to ward off threats. You need powerful access control mechanisms, as well as a conscientiously designed user authentication process so that intrusion is prevented.
As mentioned above, passwords should be complex and long enough that brute force efforts do not allow cybercriminals entrance. Two-factor authentication (2FA) or multi-factor authentication (MFA) should be used – so that you have to take an additional step beyond the password (typically a code sent to a mobile device).
You also want to have adaptive or context-aware authentication in place for the internet of things. This approach leverages machine learning and the specific context to continually assess the threat landscape in a manner that does not interfere with a strong user experience.
Also mentioned above is encryption. You want to have encryption to secure protocols at both the transport and network layers.
Embrace the IoT with strong protections
The internet of things is becoming an increasingly important part of the way that we do business across the industry. Device, network and data security are paramount. Take the above steps to reduce your risk and ensure that the value of the IoT is not overshadowed by a credibility-undermining, costly intrusion.