IoT? What about ‘The Security of Things’?

Monica Brink

Monica Brink

The Internet of Things (IoT) is well and truly upon us, and will clearly be even more prevalent in the future, writes Monica Brink. Today, the IoT is already branching out into commercial networks as well as enterprise applications. Smart devices are becoming more commonplace in our households. Everyday appliances are now able to communicate with the Internet to help our lives run more smoothly. Interconnected devices are essential tools in our working lives as well. This is all fantastic news, isn’t it?

While it’s easy to be excited about all the new gadgets that the era of the IoT has delivered, it’s important to take a step back from all the excitement and talk about security.

Millions of people across the globe are connecting with these devices and sharing valuable data. However, the potential misuse of this data still remains fairly well hidden, disguised under the IoT’s novelty halo effect.

Information security experts have long warned that IoT devices are set to be a security nightmare as they’re often deployed with little or no consideration for security. The $64,000 question is: ‘Are enough people aware of this and are the right security measures being taken, particularly so by organisations that need to protect business critical and sensitive data?’

Recent DDoS attacks such as that experienced by the DNS provider Dyn – which made it impossible to access the likes of Twitter, Amazon and Netflix – should serve as a serious wake-up call.

Little protection from misuse

In its early days, the World Wide Web brought with it little protection from misuse. This, of course, generated consumer distrust, consequently slowing down initial e-commerce efforts. If we fast-forward to the present day, it’s now the case that e-commerce represents around 15% of all retail sales in the UK, with an expected £5 million spent online during the last Black Friday event in the UK alone.

This is in no doubt due to the fact that, today, data encryption and other security measures are simply assumed. People no longer fear sending their credit card information over the wire. As a result, security issues for the most part are kept in the background. It almost seems as though we’re in a cycle in which consumers and organisations blindly trust companies with their valuable data and it’s only when a case of known and reported intrusions arises that action is taken and data security examined.

In some respects, this also echoes the initial response to the cloud, which saw low user adoption for the first few years due to security worries around the security of the data being stored offsite. Compare that to the beginning of this year when, according to the Cloud Industry Forum, the UK Cloud adoption rate climbed to 84%.

It has been found that most of the IoT devices hacked to date have had default usernames and passwords, and at no point had the manufacturers prompted users to change them. Increasingly, hackers are able to use malware software to scour the web for devices that have basic security and detect vulnerabilities. This enables the hackers to upload malicious code such that the devices can be used to attack a targeted website.

Owners remain unaware

What’s really worrying is that the owners of the IoT devices are usually unaware of the attack. This is because once a device has been hijacked it can be impossible to tell as they often continue to work exactly as normal. Issues will then begin to occur behind the scenes when the compromised system is subsequently put on the same network as personal computers, corporate servers and even confidential Government data.

Without knowing which devices exchange data within a specific network or the Internet as a whole, there’s no way to develop an adequate security strategy. In theory, every single device that’s being added to a network needs to be evaluated, but this process is every bit as painstaking as it sounds.

Whether it’s the IoT or the cloud, companies need to begin using security technologies and procedures that have already been proven to be reliable. This means applying on-premise levels of IT security to cloud workloads. For example, two-factor authentication, role-based access control, encryption and vulnerability scanning can enable a protective shield for the cloud to scan all incoming and outgoing data for malicious code, regardless of the device being used.

The right level of security technologies embedded into the cloud platform allows companies to gain control of all web-based traffic to actively manage which communications should be permitted and which should be blocked.

Recent high-profile cyber attacks and, increasingly, ransomware threats have spurred a long overdue discussion about the gaps in IoT security. Unless the security side of the IoT is sorted out, it could hold back wider adoption of the technology.

Early adopters beware: the best advice is to follow the data. Know how the company behind your latest gadgets and interconnected devices handles security and ensure that any cloud provider is able to provide you with the reports and ongoing visibility that will enable security settings to be managed and maintained at all times.

Monica Brink is EMEA Marketing Director at iland

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts