As IoT devices become more widely used in businesses, there are benefits and risks to using them. Businesses need to ensure proper integration of these devices.
When you hear the term “IoT” or “smart technology,” many people think of personal devices. Smart watches, Amazon and Google home assistants, refrigerators with touchscreens, etc. But the range of devices now available for consumption has expanded exponentially and businesses around the world are eating them up. It’s good news for the companies that produce these devices, but IoT devices pose an inherent security risk to every network they touch and need to be properly integrated into the business ecosystem.
Security has been on the minds of business leaders worldwide throughout 2020. The shift to remote work forced changes to digital transformation plans and security got set aside in an effort to speed up the transition. Many leaders are learning now what IT professionals have been saying for years: Security cannot wait until later. Later never comes and therefore security is never addressed. 2020 is a small taste of what can happen when security is put off in favor of speed.
Many businesses were lucky in that their security or configuration weaknesses were found by research companies as opposed to bad actors. There are a few exceptions (Twitter, YouTube, Garmin, the entire healthcare industry), but for the most part, businesses were alerted to these problems before damage could be done, giving companies a chance to fix issues before exposure. You can be sure that will not be the case if we continue to put security to the side.
The problem with IoT devices is that they do not have any form of built-in security. For consumers, this means something very different than it does for businesses. Consumers are looking to protect their personal data and there are simple ways to do that at home. Businesses, on the other hand, have anywhere from hundreds to hundreds of thousands to millions of customers. All of those customers have information stored at those businesses. And if an IoT device is connected to the same network as that stored data, it would be relatively simple for a hacker to expand from the weak IoT device to internal business systems.
This is the inherent risk with IoT devices. There’s often no built-in security, so it’s an easy target for bad actors. We’ve actually seen instances of exposure stemming from smart fire alarms, smart coffee pots and IV pumps. Hackers know these are a problem and will seek them out as an easy access point. That said, there are things a business can do to mitigate that risk and reduce the chances of exposure.
- Have multiple networks for specific systems. You want to provide WiFi to your customers but you obviously don’t want them to connect to your internal WiFi, so you set up a guest network. This is the network you use to set up your IoT devices, or, even better, set up a network just for those devices that doesn’t touch any other network in the company. (As an aside, it’s also a good idea to have your core internal systems on their own network and stored customer data on its own network, too.)
- Always change usernames and passwords. IoT devices tend to arrive with generic log on information, so it is imperative that you change this before you connect to the internet.
- Make sure all IoT devices are updated with the latest firmware and patching. Almost all devices will have to be updated at some point, and not every device is set up to update automatically. It’s important that there is a schedule for updating the firmware in these devices.
- Turn off voice controls. In a business setting, it’s unlikely that you want to talk to your IoT devices anyway, but there are devices that will listen if voice controls are not turned off. The last thing any business wants is an IoT device recording a sensitive conversation and randomly emailing it to customers and/or business partners.
According to Kapersky, stealing information and trying to extort businesses in an effort to make money is not all that can be done with an IoT device. The devices can also be used as “bots to deliver computing power for a DDoS attack, click fraud, password cracking or send out spam or mine cryptocurrency.” And if someone is using your IoT device in this manner, it’s likely going to have an impact on your internet strength and the functionality of the device.
“The scale of botnets can be devastating. The Mirai botnet hacked into IoT devices as long ago as 2016 and managed to create a swarm of 100,000 hijacked IoT devices. Each device might have been weak in computing power but put 100,000 together, and you’ve got some serious resources to work with.
Mirai used a classic vulnerability; the fact that owners had left the default factory usernames and passwords on the devices, making them easy to take over. It then launched a DDOS attack that brought down core provider Dyn.
Mirai’s original creators were tracked down and put behind bars. But Mirai is still mutating — and it’s still a threat.”
So, before you start bringing in smart TVs or other IoT devices into the office, do your homework. Look at the security of each device before you purchase and follow the tips above to ensure the device doesn’t lead to an attack, a breach or anything else detrimental to your business. 2020 was a tough year for the entire world, don’t make 2021 the same way. And always remember, if you’re unsure about anything, consult an expert!