READ TIME: 4 MIN
Are Your IoT Devices Leaving the Door Open for Hackers?
- Could smart light bulbs in your office provide threat actors an entryway into your IT network?
- Could a fish tank thermometer be a portal hackers exploit to steal your customers’ financial information?
- Could your smart fridge be part of a botnet used to launch distributed denial-of-service (DDOS) attacks?
Undeniably, these scenarios read like some sort of fever dream, like a dystopian novel written in 1993 when the World Wide Web was still young and full of mystery.
But in 2023, these scenarios are reality. Harnessing the global connectivity we now take for granted, the internet of things (IoT) has taken the world by storm, with a multitude of smart gadgets that feed our insatiable hunger for convenience, pique our curiosity about the leading edge of tech, and dazzle us, honestly, just by being plain “cool.” The enticing frontiers of tech often come with their risks, however, and with IoT, cybersecurity risks are significant for both individuals and businesses.
How Do IoT or “Smart” Devices Create Cybersecurity Risks for Businesses?
If your business uses IoT devices like smart thermostats, wearable technologies, smart assistants, or internet-accessible security cameras or doorbells, to name just a few, your entire IT network may be subject to cybersecurity risks common to such devices. These security risks emerge from factors including:
- Poor or Limited Security Measures: Many smart devices are developed to meet cost and efficiency imperatives. The downside to such emphasis is often a lack of attention to security features. This can create cyber vulnerabilities due to issues like lack of encryption, substandard authentication processes, or failure to provide timely security updates.
- Default User Credentials: IoT devices are often programmed with default usernames and passwords that do not meet strong password criteria. For example, manufacturers may designate default credentials that are well-known, that can be easily guessed, or that could be quickly unlocked by hackers using a password cracker. Although end users do have the option to change device credentials upon initial installation, many users fail to do so. This makes their IoT devices essentially an “unlocked front door” to their entire IT network.
- Lack of Firmware Updates: As with any technology, IoT devices may have unidentified security vulnerabilities that are only discovered after they are released to the market. Standard practice for technology manufacturers is to release security updates as soon as possible to patch vulnerabilities that threat actors may exploit. However, although some IoT manufacturers may release regular firmware updates to fix these issues, there are still many that do not adhere to this well-established procedure for supporting customer cybersecurity. This leaves consumers in the difficult position of trying to identify which manufacturers they can rely on for updates, and which they cannot.
- Substandard Encryption: Encryption, the process through which data is converted into a secret code that conceals the information it contains, is often insufficient in IoT devices. The result of poor encryption is that it makes it easier for threat actors to intercept and decipher user data that is transmitted over networks. This leads to serious privacy concerns.
- Data Privacy Issues: Many users or businesses are unaware that IoT devices collect large amounts of data once they are deployed. If users are not fully aware of what data is being collected or how it will be used, they are clearly not empowered to make judgments with regard to data privacy. Importantly, if such data falls into the wrong hands—which the previous bullet established as a distinct possibility—it can place businesses, employees, and other entities in the business ecosystem at risk of identity theft or other privacy-related issues.
- Physical Vulnerabilities: Finally, because IoT devices are often installed in public spaces or in easily accessible locations throughout the workplace, this makes them prone to tampering by malicious actors. Physically tampering with an IoT device can degrade its security, creating a window of opportunity for hackers looking for a way into the business’ IT network.
Protecting Your Business Against IoT Cybersecurity Risks
Given the above vulnerabilities, how is a business to proceed if it chooses to use smart devices in the workplace? Following are recommendations for protecting your business against IoT device-related cybersecurity risks:
- Cybersecurity Assessment: Given the complexity and variability of IoT device cyber risks, most small and medium-sized business (SMB) leaders benefit from the counsel of a cybersecurity expert when addressing IoT-related cyber risks. To get a comprehensive picture of your organization’s security, with full attention to how any IoT devices may be affecting your security posture and how to secure each one, there is no substitute for a professional assessment.
- Password Policy: An absolute must with IoT devices is that you establish a policy that requires changing default credentials upon installation. Furthermore, as with your devices and applications, your business should have mandatory password criteria that are communicated via a clear policy. For example, the policy should stipulate that all passwords meet requirements related to length, uppercase and lowercase letters, numbers, and symbols.
- Firmware Updates: As with any updates, firmware updates for IoT devices must be installed promptly. When considering the addition of new smart devices to your network, do your homework and identify manufacturers with good track records related to firmware updates.
- Decommission Unsecured Devices: For those IoT devices that are not secure due to physical tampering or lack of firmware update availability, the safest choice is to remove them from your network and replace them with devices that can be secured.
- Security Policy: IoT devices have become so commonplace that employees may use them in the workplace without thinking to notify IT. To counter this risk, communicate clear policies to employees regarding use of IoT devices in the workplace.
- Multi-Layered Cybersecurity: Because IoT devices sit within a larger IT network, their compromise may open the door to malicious activity that spreads throughout the network. A multi-layered cybersecurity program contributes to the overall security of your entire network through monitoring and alerting functions that help you to identify, halt, and remediate any emerging threats in real-time.
Providing expert cybersecurity assessments, cybersecurity policy consultation, and a wide range of cybersecurity services and solutions, NexusTek has supported SMBs to maintain IT excellence for over 25 years.
Need guidance on securing IoT devices? Consult with a cybersecurity expert today.