The IoT (Internet of Things) evolution is occurring in business and personal lives, the revolution is amazing as it transforms the way we think and act, and the confusion around how to secure IoT is real. While IoT is one of the newest buzz-words, it’s also something we in the privacy and security field need to pay very close attention. No doubt this capability will transform the way we think about privacy and security, similarly to the way it will transform our business and our lives.
Many businesses are already taking full advantage of the functionality related to IoT. For instance, companies are helping farmers by using IoT sensors to monitor soil moisture and field conditions; controlling those things via smart phones (article here). Another example is how the medical field is using IoT to provide better service; but more importantly, to monitor the health of individuals remotely (article here). More and more we are seeing business transform the way they do things to better the community as well as their own profitability.
Transformation at Home
Certainly, we’ve all heard of Alexa by now. This and other comparable systems are popping up everywhere as a way to control smart devices in the home. No longer do you need to get up to turn off a light, or adjust the thermostat, close the blinds, or even vacuum your house – now you can simply shout out a command or use your smart phone to manage these things. Some say it’s laziness, others say it’s a convenience. I for one have my Roomba set to vacuum my house at a set time every day. It’s a time-saver for me!
Impact on Privacy and Security
While there are wonderful things happening in the world using IoT, where there is good, there is the potential for bad things to happen as well. Hacks have already occurred where major consequences are being realized. Whether it’s lost profitability at businesses due to the IoT device that allowed attackers into their network, or the potential for catastrophic loss related to unmanaged medical devices, cars, and more; the developers for these devices must ensure security is built-in (reference here).
Certainly, one part of the overall risk equation is “likelihood” of exploit. Today, that likelihood may be lower in many cases, but I believe as the technology and usage evolve, the hacks will become more likely to occur. As attackers today don’t always look for specific targets, they are scanning for the easiest way to exploit a vulnerability. Unfortunately, they won’t have far to search as we continue to embrace technology without embracing the security aspect.
Protection in an IoT World
Companies already struggle with building a mature privacy and security program, and users simply don’t know what to look for as it relates to technology vulnerabilities. While that may sound like doom and gloom, there are some very basic things to make that likelihood for exploit goes down:
- Always change the default passwords! This tip is on all of the lists, yet for some reason, it’s still not done. What about those devices that are already on your network? Go check those now.
- Understand the exposure. Read the contract language, ensure you have protections in place both legally and technically.
- Keep it updated. If you’re not seeing updates, ask the vendor.
- Protect the devices from your corporate network. Whether that is through segmentation or other compensating controls, this is a must.
- Educate your company. The best way to help prevent issues is to teach people about the risks and how they can identity and prevent incidents (including IoT risks).
- Do you really need it? Probably no, but you want it, right? So, just keep it in the back of your mind as you are expanding your IoT at home. Remember, your vacuum could be the attack point on your network that allows the bad guys to get to your personal information on your computer.
- Understand the exposure. Read the Terms and Conditions before you click “accept” so that you know the data that your new IoT device is gathering and how it is accessing your environment.
- Choose reputable IoT products. The companies that specialize in smart devices may be a better choice.
- Name and protect your products wisely. Whether choosing the name for your WiFi or IoT device, when products ask, use names that do not give away your identity. When passwords are available, use them.
Those are just a few suggestions for protection. Of course there are a number of technologies out there that are good in this space. Personally, I like what CloudPost has to offer. It deals both with inventorying your IoT devices as well as securing them. There are others that deal more with cloud-based applications that can help with other business problems (Netskope is good here), so be sure you know the problem you are trying to solve prior to purchasing the latest and greatest tool.