The proliferation of everyday IoT products, such as smartphones, wireless connected cars, and cloud storage, means that it is growing increasingly harder to ‘opt out’ as we could in the past.
In 2016, Gartner predicted that by the year 2020 there will be 21 billion IoT devices connected to the internet around the world.
A big part of this is taking place on a corporate level, with industry’s adoption of IoT occurring at a faster pace than consumer adoption.
The digitisation of processes and businesses is happening at an unprecedented rate, and is accompanied by a series of risks and vulnerabilities that can be exploited.
In today’s current environment, no organisation is immune to the cyber threat, and it’s not not a question of if you will be attacked, but when.
The National Cyber Security Centre (NCSC) maintains that it is possible for businesses to defend themselves against all but the most determined and technically capable attackers, as long as appropriate investment is made in cyber resilience strategies.
It cites that many of the risks to organisations are enabled by the exploitation of basic and well known vulnerabilities, and cautions that risks increase as more connected devices are applied.
No organisation can fully mitigate against the cyber threat
“No organisation can fully mitigate against the cyber threat. However, there are many opportunities that can dramatically reduce the potential impact of an attack by adopting the guidance and advice offered within existing initiatives.”
“The more devices that your organisation connects to the internet, the more exposed you are to potential attack, and there is a market for the many types of business and personal data that business leaders need to protect.
“Investment in cyber security is therefore critical if you wish to protect the operating capability, finances and reputation of your business.”
One area of focus for businesses, according to Steve Durbin, managing director of the Information Security Forum (ISF), should be the supply chain.
“IoT will transform supply chain leader’s access to information, as well as the exposure of operations to cyber risk.,” he said.
“Organisations of all sizes need to think about the consequences of a supplier providing accidental, but harmful access to their corporate information. Even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake.
“Businesses must focus fixes on the most vulnerable spots in their supply chain now, before hackers, or other cybercriminals, find their way in to disrupt your global distribution of goods and services.”
Another potential cause for concern is the increasing reliance on cloud services. When it comes to corporate communications, the cloud has emerged as the primary way that many connected devices correspond.
putting private information into the cloud creates risk and must be understood and managed properly
“Organisations need to understand that putting private information into the cloud creates risk and must be understood and managed properly.” Durbin said. “Organisations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centres scattered across the globe. In moving their sensitive data to the cloud, all organisations must know whether the information they are holding about an individual is Personal Identifiable Information (PII) and therefore needs adequate protection.
organisations need to know precisely to what extent they rely on cloud storage and computing.
“With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organisations need to know precisely to what extent they rely on cloud storage and computing.”
Password management is also a problem that attackers are continuing to exploit.
Companies that fail to change the default combinations on their network appliances, or change them to passwords that don’t offer enough security, open themselves up to the risk of those devices being compromised.
The release of the Mirai source code demonstrated the ease with which cyber criminals can hijack poorly protected IoT devices into botnets.
It revealed that 61 usernames and passwords were used by Mirai to hack into over 300,000 devices, which were then weaponised and used in the 2016 Dyn cyber-attack.
Speaking at the recent Scot-Secure 2017 conference, cybersecurity expert, Professor Bill Buchanan emphasised the risks posed by poor password management from manufacturers, individuals and organisations.
“If a manufacturer doesn’t know that every camera should have a different password, and should be configured, then we’ve got to really worry.”
“Governments have a significant role to play in promoting IoT security. If device manufacturers cannot or will not provide sufficient safeguards, then it should be up to governments to legislate change.”
According to Durbin, some movement is already being made in this direction:
“The European Commission has said it is planning to push industry governance measures to improve the security of internet connected devices such as cameras, set-top boxes and other consumer electronics, amongst increasing exploitation of such devices to carry out online attacks.”