Operational and Data Integrity Risks of IoT for SMBs

The continued rise in the number of Internet of Things (IoT) connected devices has brought about a host of security challenges for many businesses. Most small and medium businesses don’t even realize that they have IOT devices – but if you have an internet enabled thermostat, camera system, vehicle tracking devices, or any other “smart” technology, you have IOT on your network.

As manufacturers compete in a race to bring their IoT devices to market, most fail to include even the most basic security controls necessary to protect the networks these devices connect to or the data they collect or transmit. This leaves businesses in all industries extremely vulnerable to a variety of security risks and cyber threats especially if they are installed without being properly configured and secured (most cameras never have their default passwords changed)

If your business has adopted IoT devices or has imminent plans to do so, there are five major security risks you need to take into consideration to successfully maintain the security of your IT operations and the sensitive assets those IoT devices connect to.

Inadequate Patch Management

Timely patching is crucial for all internet-connected devices. Many IoT devices available today lack the capability to be patched with security updates – leaving them exposed indefinitely to risks that only increase over time. Many IoT device manufacturers do not bother with modern update mechanisms; meaning, some IoT devices function on unsupported legacy operating systems, making them impossible to patch.  This is why it is critical to buy devices from well known, trusted vendors who have a track record of producing high quality, secure devices, and who provide ongoing support and updates.

IoT’s pervasive utilization of rudimentary Operational Technology (OT) systems that lack the choke-output filters essential to effectively prevent or mitigate the spread of destructive malware, which serves as an unprotected “backdoor” for hackers to infiltrate business systems and steal sensitive data or extort money.  There are now many examples of devices such as cameras, thermostats, and basic network equipment being compromised and used to execute large scale, distributed cyber attacks.  Many of which could have been mitigated by simply changing out the default usernames and passwords on those devices during the setup phase, or applying the latest available software patches.

Lack of Proper Encryption

It is rare for IoT technology to contain even the most basic encryption systems included during manufacturing. The lack of encryption controls leaves all data transmitted in connection with IoT devices completely unprotected. While the various security concerns alone are significant, the failure to properly encrypt your customer or employee data and PII, both in transit and at rest, is a violation of most data protection regulations worldwide. Non-compliance often results in hefty financial penalties, operational disruptions and devastating reputational damage. 

Absence of Regulatory Requirements

Since IoT devices are purpose-built to house sensors which have the ability to collect, store and share all direct and indirect communications or data interconnected with the devices, it is important to consider the high probability that your business’ sensitive or proprietary information could be accessed or exposed without your knowledge or permission. Currently, IoT product manufacturers have no universal standards or global regulations to comply with when it comes to explicit security or data privacy controls required for production. Without universal standards or accountability via enforcement, it’s easy to understand how IoT devices generate increased risks and threats to IT security and data protection.

Now take a moment to imagine the terrifying possibility that a lack of global requirements for IoT technology could ultimately be responsible for harming people. Without total control over the security of IoT devices, the devices become extremely vulnerable to hacking and corruption. This could potentially create very real, life-threatening situations, especially if medical IoT devices such as pacemakers, blood pressure monitors or continuous insulin regulators were to malfunction or fail, leading to death because of a security breach.

Default Password Vulnerabilities

Many IoT devices come with weak default passwords that can be easily cracked by cybercriminals. While these can be changed once connected to a network, end users often ignore or neglect changing passwords, which can leave devices vulnerable.

Inability to Detect Breaches or Predict Threats

IoT ecosystems are very complex, making it difficult for businesses to manage IoT security with a single solution. Due to vast and diverse data types and computing powers across all IoT devices, a “one size fits all” security solution is unrealistic. Moreover, there is a general lack of understanding and awareness of IoT security risks at the end-user level. Businesses need to be aware of the different IoT security threats to be able to implement security policies.

Primary threats that IT must address while deploying IoT devices in their networks are:

  • Denial of Service

A denial-of-service (DOS) attack is an attempt by a cybercriminal to incapacitate a network with an excessive surplus of the kind of activity that the network usually handles. Since IoT devices lack filtering chokepoints such as firewalls, malware can spread easily, allowing hackers to gain entry into the network with one IoT device.

  • Passive Wiretapping

Passive wiretapping or eavesdropping involves the theft of information transmitted over the network by the IoT device.  Think about all of the cameras deployed in workplaces and what information could be collected by accessing those video and audio feeds.  With very high resolution IP cameras being the standard there is a very real risk that they can zoom in on screens and documents, potentially exposing sensitive information.

  • Structured Query Language Injection

Structured query language injection (SQLi) controls a web application’s database server, allowing hackers to tap into sensitive information such as usernames, passwords and user permissions. Hackers can then take over the entire network by tricking a web application to allow authentication without a valid password or by adding and deleting users and changing their permission levels.

  • Wardriving

Wardriving involves the act of searching unsecured Wi-Fi networks by a hacker in a moving vehicle and then potentially gaining access to them. Unsecured IoT devices and default admin passwords on a network are easily discoverable for this kind of attack.

  • Zero-Day Exploits

IoT devices are honeypots for zero-day exploits. Zero-day vulnerabilities constitute of software security flaws that are currently unknown and are exploited before patches are released for them. With more employees working from home and using personal Wi-Fi and interconnected devices, IoT devices can prove to be hazardous for a company’s IT environment.

How to Overcome IoT Security Challenges

Many SMBs struggle with budget and skill constraints to fully and consistently implement and manage IT security. Partnering with a Managed Service provider who specializes in IT, network and data security, and has experience managing effective cybersecurity strategy, can help accelerate your success.

Here are a few ways MSPs can help their clients enhance their IoT security positioning:

  • Identifying Security Gaps in the Environment

It all starts with identifying vulnerabilities in a network by conducting risk assessments in your environment and analyzing any potential security gaps.

  • Implementing Layered Security Procedures

This involves the deployment of advanced security tools and procedures that protect IoT devices from infiltration. These include tools that automate patch management, implement two-factor authentication, enable compliance with security policies and monitor backups to bolster security.

  • Advanced Email Security

This entails the deployment of email security solutions that protect clients’ employee mailboxes, limiting the spread of ransomware. These solutions detect unsafe emails and attachments and deter phishing attempts.

  • Security Awareness Training

MSPs also provide training to their clients on how to recognize phishing emails and avoid opening emails from untrusted sources.

Tier 3 IT Solutions has deep experience and expertise in Cyber Security and Cyber Risk Management and can help your business review, evaluate, and protect your critical devices, services, and data. Contact us today to learn more about how we can help.