The Internet of Things, or IoT, basically consists of anything and everything that can connect to the Internet that isn’t a computer, tablet, or smartphone. IoT devices range from smart doorbells to connected coffee machines and refrigerators. And these devices are being connected to business networks at a rapid rate – far faster than the ability to secure them is growing. Herewith, some thoughts on the problem and recommendations for vendors and users. But first, a trip to the store.
Cybersecurity and the IoT: Are You Smarter Than a Chain Retailer?
If you haven’t done so yet, try this. Find a local outlet of a retail chain that offers a mobile app with any useful in-store navigation features. Download the app to your smartphone. Then go into that outlet. Then see if (1) you can get a usable cell signal, (2) the store offers free Wi-Fi, and/or (3) you can log into the free Wi-Fi network easily and quickly on the first try.
I have been frustrated by this endeavor enough times to surmise the following. These stores are operated by people smart enough to operate stores that (mostly) make money, even with sometimes-impossibly-thin margins. Some of those people are also smart enough to have built a decent mobile app, and to offer free Wi-Fi inside their stores. Yet they have not yet connected enough dots to figure out that bad in-store connectivity hobbles the app, makes the Wi-Fi a waste of money, and turns off customers.
A quick online search confirms that there are Wi-Fi and cellular signal boosters small and cheap enough to put one in each store. It would not surprise me to learn that no one with enough influence to change the status quo at any retail chain under scrutiny here knows this. Or even sees the status quo as a problem or an opportunity.
What’s this got to do with your business and the Internet of Things (IoT)? I respond with two questions.
Given the above circumstances, how prepared to deal with the security challenges of the IoT do you believe these otherwise smart store operators to be?
Do you have any credible evidence that your business is as prepared as or more prepared than they are to deal with those challenges?
Cybersecurity and the IoT: The Scope of the Problem
Herewith, some relevant and sobering indicators, as curated and summarized by Frederic Paul in his March 28, 2018 “Techwatch” column for NetworkWorld.
“Gartner just predicted that IoT security spending will hit $1.5 billion by the end of the year, up 28 percent from 2017, and more than double to $3.1 billion by 2021.”
“Among other things, all those dollars are intended to help prevent the ‘catastrophic’ effects of a data breach or cyber attack on IoT devices. That may sound hyperbolic, but according to the recent Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk from the Ponemon Institute and Shared Assessments, that’s what 97 percent of surveyed risk professionals feared would be the result of an attack on unsecured IoT devices. More than half (60 percent) saw IoT vulnerabilities to ransomware attacks.”
“According to [a recent Economist Intelligence Unit (EIU)] study, huge majorities of consumers around the world don’t think their IoT data is safe, and they want something done about it before the problem spirals out of control:
“92 percent say they want to control what personal information is automatically collected.
“74 percent are concerned that small privacy invasions may eventually lead to a loss of civil rights."
Cybersecurity and the IoT: What You Should Do Now
Know what’s on your network(s).
Users: if your organization has any IT asset management (ITAM) resources, make sure they can track and flag IoT devices as they attempt to connect. If you don’t have any ITAM resources, IoT growth is a strong incentive to acquire them. You can start with visual observation and manual record-keeping, but start. Now. You can’t protect what you don’t know about. Vendors: if your ITAM solutions aren’t IoT-ready, make them so, deliver add-ons that are, or partner with an IoT security solution provider. Now.
No one gets in without a password.
Many IoT devices sold today have little to no built-in cybersecurity. Some come equipped with passwords that are simple to guess and difficult to change. Some rely on software that is difficult or impossible to patch or update as threats and remediation measures evolve. Vendors: stop making and selling these. Users: don’t buy these, and don’t let them connect to your network(s), at work or at home.
It’s all about users and data.
Eventually, IoT devices will be more secure and more easily securable. And more networks will be smart enough to help users guard against threats from inadequately secured IoT devices. Until then, however, users and data still need protection. Users: ensure that your critical data and user devices are protected with strong passwords, two/multi-factor authentication, regular, timely backups, and frequent user education. Vendors: ensure that your IoT solutions enable and support these and other protections, as seamlessly and non-disruptively as possible.