There’s a lot of concern about Internet of Things security – or lack of security – today.
The IoT is the growing network of connected devices.
Internet of Things devices include smart phones, coffee makers, programmable thermostats, smart TVs, and medical and other wearable devices. Devices are embedded with sensors that allow data to be collected. They’re linked to the Internet so data can be accessed, uploaded, and further processed.
In a recent forecast, Gartner Inc. estimated that this year 6.4 billion connected 'things' would be in use around the world by consumers and enterprises; this is an increase of 30% compared to 2015. By 2018, the number is forecast to reach 11.4 billion.
Gartner also predicted that by 2020 more than 25% of identified attacks in organisations will involve IoT.
Unfortunately, many IoT devices lack common security measures, which means cyber criminals can hack into devices resulting in data breaches and other crimes.
While breached wearable devices and cars seem to get the most headlines, there have been reported attacks against point-of-sale systems, ATMs and home routers too.
“As more connected devices generate big data, users should be concerned about securing that data against hackers,” stated an Argus Insights paper. Big data and cybersecurity were the most discussed concerns in a recent Argus report that analysed millions of social media comments about IoT.
What do organisations need to know about the Internet of Things and security?
- Policy: It’s important to have a security policy for IoT device-use in the workplace. Security and risk should always be assessed before purchasing smart devices.
- Choice: Don’t purchase smart devices that are not protected or don’t comply with your security policy. Encourage IoT device manufacturers and service providers to implement security safeguards in their products.
- Safeguards: Carefully review security and privacy options of devices. There should be two-step identification, firewalls, and anti-malware features. Create unique passwords and usernames.Check the manufacturer’s website for updates that address security vulnerabilities. (Avoid devices that don’t have effective security patching.)
- Exfiltration: Understand the data ‘exfiltration’ (transfer of data) policy of the device. Find out what data is being exfiltrated to determine risks to your business.
- Network protection: Use network monitoring and segmentation in workplaces to protect confidential information. Network segmentation is splitting a computer network into sub-networks to minimise access to sensitive information.
- Remote access: Disable or block remote access, and only enable it when necessary, advised a Computer Weekly article. “If remote access to smart devices is enabled by default, it may be the device is ready to welcome any attack.”
- Protected workplace: Have a comprehensive internal document management policy. Keep only confidential information that is needed for compliance purposes and business. Securely destroy information that is no longer needed. Partner with a trusted document destruction company that has secure chain of custody destruction services for paper documents and hard drives.
Information security isn’t always this complicated. A clean desk policy is one of the simplest most effective ways to protect confidential information in the workplace.