What CFOs Need to Know: Internet of Things Security Risks
Do you think monitoring light bulbs is an information technology (IT) responsibility? Maybe you should. Smart light bulbs, along with smart thermostats, smart refrigerators, connected cameras, and other connected “Internet of Things” (IoT) devices are almost invisible to us. But because of their connections to the Internet, they add load to your network. Worse than that, they add risk.
These devices have limited computing power so often don’t encrypt their communications, and it’s difficult to apply security patches. Because installing them is often literally as easy as screwing in a light bulb, tracking where these devices are deployed is difficult. Even though these devices don’t themselves access your corporate data, an intruder can use them to get into your network and access systems and databases. Because many IoT devices control physical objects, the dangers can extend beyond the virtual world and create risks in the real world.
IoT Security Risks
These vulnerabilities are widespread. An HP study in 2014 found that 70 percent of IoT devices were susceptible to common risks. IoT devices can endanger your systems in these ways:
- They aren’t built with security in mind. Many IoT devices are created by small startup firms that aren’t focused on security. The devices may be built with third-party components that don’t offer security, and the limited computing power restricts how much security can be added on. These devices often are connected to backend websites that may lack appropriate controls, as well.
- They can be used in distributed denial of service (DDoS) attacks. Some malware searches the web for unsecured IoT devices and uses them to mount a DDoS attack against a target website.
- They lack intrusion detection controls. Because there’s limited security around accessing these devices, they can be manipulated by unauthorized users. How much work will your business get done if a hacker shuts off your smart light bulbs?
- They come with default credentials. Devices often include a preset administrator ID and password, which may not be reset during installation. Using default settings makes devices accessible by almost anyone.
- Updates may not be applied securely. Some devices don’t automatically apply firmware upgrades, which is problematic. Many devices that do download updates don’t encrypt or sign those patches, meaning they can be intercepted and malicious software inserted instead. If a company stops supporting a particular version of its IoT hardware, newly identified vulnerabilities may not be patched.
Protecting Against IoT Security Risks
Defending against IoT security risks starts with implementing a process to identify and track these devices when they are installed. Companies should define IoT policies that define the types of IoT devices allowed to connect on their network the way a BYOD (bring your own device) policy defines what mobile devices can connect. The company’s Wi-Fi network should be protected with passwords and VPN to allow only authorized connections.
Protecting your network against IoT risks can leverage the tools, such as firewalls and traffic monitoring, that you use to protect against other threats. Prescient Solutions team of certified security professionals can help you develop a comprehensive approach to network security that includes your traditional IT devices and the newer connected devices that aren’t normally thought of as IT. Contact us for a free infrastructure assessment to identify your risks and help you start planning how to address them.