Smart watches, lighting, cities … is the IoT the newest weapon of the cybercriminal?
The following is a guest article from Scott Millis, CTO of Cyber adAPT.
Twenty years ago, IT networks were simple to map — once some PCs and a printer were linked to the server, most workspaces were ready to go. With a finite number of machines to protect, CIOs had a clear remit and tangible workload.
Today, offices play host to an array of connected devices from smart lighting systems to coffee makers. And that is not even mentioning the smartphones, smartwatches and other devices employees bring from home and connect to a company's network. With businesses predicted to use over 3.1 billion connected devices in 2017, and $6 trillion due to be invested in IoT technology by 2021, the business impact is undeniable.
A report from the Economist Intelligence Unit claims one-fifth of senior business leaders have already seen a positive IoT impact on their business, with almost one-third believing they will see benefits in the near future.
So, what advantages can the IoT bring to enterprise organizations?
The increase of connectivity has led more employees to work flexibly and remotely, with 43% of US workers spending time working remotely in 2016, a 4% increase from 2012. With access to email, cloud-based software and other technologies that allow tasks to be completed remotely, businesses can reduce operating costs if connected devices are used effectively.
Smart devices also offer businesses a valuable asset — data. Being able to track inventory in real time and understand consumer behavior patterns can bring about growth opportunities at scale. Data not only offers the insight to create more efficient working practices, it also opens up the potential development of new revenue streams that may have otherwise remained undiscovered, an opinion supported by 22% of senior business leaders.
Multiple industry sectors have the potential to benefit from IoT efficiencies, including manufacturing, healthcare and retail, and many have already done so. It is estimated that the industrial IoT could contribute up to $14.2 trillion to the global economy by 2030, underlining the possible opportunities.
And while more CIOs are becoming aware of the opportunities available, it is clear there are many pitfalls and challenges to be addressed before the IoT can realize its full potential.
Devices on the rise
The sheer increase in the number of connected devices and smart technologies inevitably equals a higher number of entry points and security flaws for cyber criminals to take advantage of. In 2016 alone, 2.2 billion data records were compromised and vulnerabilities were uncovered in IoT products from leading brands such as Nest.
Indeed, one of the greatest barriers to IoT implementation is a concern around security and privacy issues, as cited by 26% of senior business leaders. While 85% of enterprises are in the process of or intend to deploy IoT devices, only 10% feel confident that they could secure those devices against security threats, according to AT&T's Cybersecurity Insights Report.
Supporting this, a recent study by Ponemon Institute found IT security practitioners are more concerned about getting hacked through an IoT app than a mobile app. Despite these concerns, 54% of respondents are taking no steps to protect themselves, and 11% are unsure if their organization is taking any preventative action.
The volume of data that flows between connected devices is creating a new 'edgeless' network making it harder for CIOs to understand and manage workplace security. Every single device — smartphones and smart watches included — is an opportunity for a hacker to seize.
One of the greatest failings of IoT devices is that most are designed with functionality top of mind, not protection. This can be seen by the fact that many products do not have the capability to automatically install crucial security updates and lack vital encryption measures — 70% of IoT devices have been found to have serious security flaws.
For IoT ecosystems, one of the biggest threats comes from DDoS (Distributed Denial of Service) attacks. One recent example managed to shut down 1,600 websites in the U.S. — including Twitter, Netflix and CNN.
The way an IoT ecosystem works is through a centralized system that controls multiple inputs or devices, making it particularly susceptible to DDoS attacks which were traditionally aimed at large networks of malware-compromised computers. This malicious intent renders the device useless by the legitimate owner once exposed to malware.
However, the negative impact is not limited to malware, as a user's privacy is also compromised. You only need to look at the consumer market to understand the impact a breach can make to an organization's reputation. The most publicized attack was that of a baby monitor being hacked, where a stranger was able to communicate with a toddler through the connected device, leading to a public backlash.
Putting a figure on the potential business impact of an IoT security breach is challenging, as much of the damage will be dependent on a company's existing reputation. However, one study estimates that nearly half of U.S. firms that use an IoT network have experienced a security breach, costing up to 13% of smaller companies' annual revenue.
With the introduction of the General Data Protection Regulation (GDPR) due in 2018, designed to strengthen EU consumer data privacy enforcement, we will see companies face large financial penalties for any breach of security that compromises an individual's data. Fines of up to 4% of global annual turnover or €20 million —whichever is higher — will force CISOs to reassess their security protocols within this growing IoT ecosystem. And it is not just European companies that should be concerned; any business that collects or stores data from a European consumer must take action.
To encourage IoT adoption, CISOs must first quantify the business benefits, as cited by 34% of IT professionals, and then evangelize and improve the understanding of IoT benefits (24%) and improve security (17%).
When considering the IoT and how to incorporate connected technology into a workplace security programme, CISOs must focus on detection as well as prevention. A detection-led approach that focuses less on ensuring every device on the network is secured, and more on spotting and remediating the attacks once they have penetrated the perimeter, can prove to be more effective.
Previous research found response times are critical; faster cyber attack detection can limit the business impact by up to 70%. CISOs can then apply analytics to understand the systems that have been compromised and what devices, users and attackers were involved.
In an age where mobile and IoT devices are bringing about a wave of transformation, they also create a seemingly intangible perimeter and challenging workload for CISOs. A detection-led approach will allow a CISO to understand the priority of alerts and create a manageable workload, while also realizing the full potential of the IoT.