Connected devices are delivering value across an ample spectrum: energy management, smart buildings, manufacturing, commerce, travel, healthcare, and transportation. The sector’s rapid growth has inconvenient consequences including new layers of inefficiency and potential vulnerabilities with seven of every ten connected IoT devices lacking security safeguards. While most large enterprises have secured their IT infrastructure by monitoring all entry doors, the house now has the windows open to potential intruders.
Connected devices are a welcome innovation and venture investment on “Internet of Things” reached a new high of $1.4 billion in 2016. Now that everything, from automated manufacturing or smart thermostats to our hairbrushes, is connected to the internet, there are more cybersecurity threats than there have ever been. At the root of the problem, is that the devices span so many different types of various manufacturers, that the Internet of Things has become difficult to manage.
We have developed a fragmented IoT ecosystem that delivers value on particular niches but is becoming a multi-headed monster that is hard to tame as we do not even have complete visibility of its actual dimensions.
Of course, we have experienced what happens when we lack visibility of our exposure to vulnerabilities. In today’s fast, connected world, cyber attacks have become a fact of life. We experience millions of attacks per day, and some are successful. From the September hacking and releasing of dozens of testing records of athletes conducted by the World Anti-Doping Agency, to the massive October cyberattack that wiped out major websites such as Netflix, Twitter, Amazon, and Spotify for over 11 hours. While the release of athlete records resulted from the spear phishing of email accounts, the October cyber attack was the result of something we are only now quickly realizing is a significant threat.
Many were surprised to find out that the cyber attack that shut down their social media for an entire day was the result of hacking connected devices, like printers, DVRs, and appliances.
As the Harvard Business Review points out, in their report How Smart, Connected Products are Transforming Companies, “the job of ensuring IT security now cuts across all functions. Every smart connected device may be a point of network access or a target of hackers.” While connecting devices to the internet have brought us massive amounts of data that had otherwise laid dormant, we have opened ourselves up to many security vulnerabilities.
The Global State of Information Security Survey found that seven of every ten connected IoT devices lack security safeguards.
One glaring flaw in these devices is their weak authentication features. When HP did a study revealing security defects in IoT products, they found that 8 out of 10 “things” still had the same default password given by the manufacturer. This is probably the easiest way in which hackers can infiltrate systems, considering many manufacturer default passwords are set up with weak authentication such as “1234” or “1111”. Companies have so many devices, spread across so many manufacturers with different systems that their IT leaders don’t have the visibility to be aware of these issues.
Most big companies have secured their IT infrastructure by monitoring all entry doors, the house now has the windows open to potential intruders.
Another source of vulnerability lies in product updates as connected devices need updates on a regular basis to remain safe against increasingly sophisticated cyber-threats. If software and firmware patches to address vulnerabilities are not installed timely, the risk of cyber attacks increases. Despite this, less than one of every two manufacturers offer remote updates for their smart “things.” There isn’t much of any economic advantage for manufacturers to continue providing support for their devices and enterprises pay the price. They are unaware of when their devices need updating, whether it’s the security cameras of a hotel building or the fire alarms of a large sports stadium. If enterprises can’t see these updates, then they cannot protect themselves.
Over the past 15 years, the IT industry made tremendous progress towards better compliance and risk monitoring and mitigation; the industry needs to take the same approach for the more than 20 trillion sensors and connected devices expected to be in place by 2020. To start securing all those windows, we must start with figuring out how many we have and how many are left open and vulnerable; otherwise, cyber attacks will find the open window into our enterprises.
- “Security Challenges in the Internet of Things (IoT).” InfoSec Resources. Infosec Institute, 30 Nov. 2015. Web. 02 Feb. 2017.
- Leswing, Kif. “A Massive Cyberattack Knocked out Major Websites across the Internet.”Business Insider. Business Insider, 21 Oct. 2016. Web. 02 Feb. 2017.
- “Cyber Hack Update: Data Leak concerning 41 Athletes from 13 Countries and 17 Sports (September 23, 2016).” World Anti-Doping Agency. WADA, 03 Oct. 2016. Web. 02 Feb. 2017.
- Porter, Michael, and James Heppelmann. “How Smart, Connected Products Are Transforming Companies.” Harvard Business Review. Harvard Business Review, 12 Feb. 2016. Web. 02 Feb. 2017.