5 Ways to Protect Your IoT Devices
The internet of things (IoT) is undoubtedly growing rapidly. According to Gartner the typical CIO will be looking after triple the number of IoT devices in 2023, compared to the number of IoT devices under their security remit in 2018.
This influx is caused by a mix of repurposed consumer devices, IoT devices that support infrastructure and business-specific IoT devices. Dodging the explosion of IoT devices is impossible, and yes, IoT does deliver a lot of advantages – but the security implications can be serious.
IoT security matters
Cyber security experts will know that consistent maintenance of comprehensive endpoint security is a difficult task, particularly where there is a high chance that devices can be added to a network without the knowledge of IT teams. The profusion of IoT devices significantly compounds existing problems with maintaining endpoint security.
Malevolent actors know this, and also know that IoT devices are often introduced without the knowledge of security teams. Similarly, hackers are keen to exploit the weaknesses inherent in IoT devices. Even a device with limited functionality (think sensors) can serve as an entry point for a very damaging attack. The result is a tripling of the number of malware attacks on IoT devices, in just the space of one year, according to Kaspersky.
Tips for IoT security
Clearly, companies must adopt a strategic approach to IoT security. Securing every single device is not feasible, even if attempting to secure most devices is an important step. Only a multi-pronged approach will create an effective blanket of IoT security. We think these are the five most important aspects of IoT security:
Focus on network architecture
There are several ways to fence off IoT devices to limit the repercussions of failed endpoint cyber security. If a device cannot access sensitive network resources it implies that hackers will be restricted too. Anyone that has exploited that device will also be restricted in what they can achieve.
Therefore, designing a network architecture that is sensitive to the risks posed by IoT devices can minimise the implications of a device exploit – few IoT devices need access to comprehensive resources. Instead, many IoT devices only need internet connectivity.
Vendors and firmware updates
Tech teams may not be able to manage every single individual device that joins their network, but in many cases, there is some degree of control over procurement, and access to joined devices. Wherever possible technology team should exercise discretion when choosing vendors, only picking IoT devices from suppliers that can be trusted.
Trusted vendors will release updates if and when device exploits become known. By limiting the number of vendors a company deals with it is easier to monitor the release of updates, and easier to make sure that updates are installed as soon as possible.
Use a tracking and assessment system
While it is difficult to assess which IoT devices have joined a network, it is nonetheless beneficial to at least try to build a picture. IoT devices fall into relatively predictable categories, so technology leaders can design a cataloguing system that accounts for a large proportion of exposed devices.
This creates the possibility of adapting network architecture to fit the real-world use of IoT devices. A catalogue enhances visibility into exactly how an enterprise is exposed to IoT threats. An inventory can also help with efforts to keep IoT devices up to date with the latest firmware.
Switch off unneeded features – and unneeded devices
IoT devices often comes with features and benefits that are simply not needed. Where possible, switch off features that won’t be of any benefit. A common example includes UPnP: useful in some situations, but often of no measurable value and therefore an unnecessary security risk.
This also holds true for unneeded devices. Armed with a catalogue of devices, technology teams can ensure that unutilised functionality is simply disconnected – rather than left to linger on a network with no oversight. Inventories will help with this process.
Setting up IoT devices can be time consuming but it does not mean that essential steps including the configuration of encryption protocols can be skipped. Snooping is a common hacking strategy, encryption ensures that snooping is a far more difficult exercise.
Where IoT devices do not support encryption different strategies can be used, including the use of securely encrypted network tunnels. Again, the way networks are designed can have a dramatic effect on the extent to which IoT devices pose a real threat to security.
Plan for IoT security breaches
Watertight IoT security is arguably impossible. Yes, mitigating IoT risks is an important and necessary exercise but companies should plan for the possibility of an IoT-related security breach. An action plan could include a map of the most vulnerable company data, alongside measures to contain network breaches.
Although efforts are being made to limit the risks posed by IoT devices, the fact remains that the growing use of small, connected devices pose a threat to security – from small businesses though to large enterprises. Inaction is not an option, but a concerted effort can go a long way in mitigating IoT risks.