Why Securing Your IoT Device Has Never Been More Important

Ian Marsden -
security fingerprint on lock
Illustration: © IoT For All

In its analysis of the impact of COVID-19, consultancy McKinsey calculated that digital transformation programs accelerated by seven years in just a few months to meet customer demand. This, in turn, has fuelled growth in IoT. Today, we’re seeing IoT finally come of age as enterprises move from experimentation to understanding how to deploy IoT.

Security of Device Cited as the Biggest Hurdle to Overcome

Research shows that organizations reap multiple benefits by embarking on IoT projects, including entering new markets and launching new product lines to disrupt business models and markets. However, while businesses can reap impressive benefits from IoT, adoption is not without its challenges. Again, in our research, over one-third of our survey respondents (39 percent) said the device’s security and the environment was the biggest hurdle they had to overcome, and 35 percent said that device onboarding and cellular connectivity had proved difficult.

So why is IoT security so problematic?

For a start, each connected device represents a potential breach point for enterprises. As the number of devices rises exponentially, this invariably means there is a more complex ecosystem to manage, which leads to increased security vulnerabilities. The first thing to ensure is that the organization has visibility of these devices – you can’t accurately assess potential dangers to the network until you understand what could be causing it. Also, many organizations don’t prioritize IoT security and don’t realize the risks until it is too late. Furthermore, the pandemic has made threats more sophisticated and widespread.

Let’s take the manufacturing sector as an example. One of the significant issues with their IoT environments is that even routine security maintenance can prove onerous. Typical security problems encountered include weak password protection to insecure interfaces, poor IoT device management, insufficient data protection, and a general lack of regular patches and updates – especially in highly dispersed environments. As a result, there is a laissez-faire approach to patching and software updates for fear of shutting down the production environment, with uptime taking priority.

This is a high-risk approach. Additionally, manufacturing IoT environments are no longer safely air-gapped and instead are connected to corporate and cloud networks, creating a large and lucrative attack surface for cybercriminals intent on either disrupting production or stealing data for espionage. Unfortunately, compromised IoT devices can be used to move laterally into corporate networks to access and exfiltrate confidential data.

Security Seen as an After-Thought

A recent report conducted by IDC reveals that the rush to deploy new digital technologies often comes without the right security measures in place. There are often vulnerabilities around the security of new IoT infrastructure and gaps in protecting legacy systems that may connect to more open environments.

Additionally, a study published in July 2020 analyzed over five million IoT, IoMT (Internet of Medical Things), and unmanaged connected devices in healthcare, retail, and manufacturing as well as life sciences. It revealed several vulnerabilities and risks across a diverse set of connected objects and found that:

• Up to 15% of devices were unknown or unauthorized.
• 5 to 19% were using unsupported legacy operating systems.
• 49% of IT teams were guessing or had tinkered with their existing IT solutions to get visibility.
• 51% of them were unaware of what types of smart objects were active in their network.
• 75% of deployments had VLAN violations.
• 86% of healthcare deployments included more than ten FDA-recalled devices.
• 95% of healthcare networks integrated Amazon Alexa and Echo devices alongside hospital surveillance equipment.

There’s no denying that IoT security is complicated, but professionals in the field should understand best practices for efficient risk assessment and mitigation.

Security Breaches Can Cause Severe Financial, Reputational, and Brand Damage

Most IoT products are developed with ease of use and connectivity in mind. They may be secure at purchase but become vulnerable when hackers find new security issues or bugs. If they are not fixed with regular updates, the IoT devices become exposed over time. Losing connectivity or access to a device due to a cyberattack is an increasingly growing IoT threat. These events can be financially devastating, reputation destroying and brand damaging, causing widespread collateral loss to an organization’s bottom line.

Ultimately, organizations need to develop and execute a strategy to mitigate risks, protect the business, and build confidence in IoT initiatives. It’s, therefore, our recommendation that IoT devices are secured out of the box without having to deploy agents or additional hardware.

In today’s dynamic environment that demands reliable and ubiquitous mobile and remote device connectivity, it is essential for organizations with devices deployed worldwide and across various mobile network operators (MNOs) to ensure operational resilience and business continuity. The knowledge from agentless device security platforms, such as Armis, provides granular device details and behavioral insights in real-time to trigger faster, more effective detection and response to security incidents. Building this into the IoT tech stack as part of a managed service is critical to ensure that IoT devices are protected against increasingly sophisticated cybersecurity threats.

Security by Design

In summary, we advocate that security is considered at the very beginning of the design process, with the proper expert knowledge mobilized as early as possible. The later the process of assessing, testing, and hardening IoT solutions is left, the more difficult and costly it is to get it right. Worse yet, discovering critical weaknesses or inadequate contingency plans only after a breach has happened can be more expensive still. Therefore, companies should build security in and adopt a security by design approach to properly secure their IoT devices and be confident about current and future initiatives.

The good news is that 86 percent of our survey respondents said IoT is a priority for their business, and 49% are planning further IoT projects in the next couple of years. In fact, by 2026, industry predictions point to more than 26 billion connected devices in the world. It’s a vast opportunity, but it also brings vast risks, especially with the exponential growth in cyber threats. Frequently designed without security, IoT devices have become a new threat vector for bad actors to use when launching attacks.

Therefore, keeping IoT devices secure and ensuring the data they hold isn’t compromised has to be a top priority for any IoT initiative to succeed. IoT security cannot be an afterthought or an add-on. Security must be built in from the beginning, and reliable infrastructure for the IoT device should be maintained throughout its lifecycle.

Author
Ian Marsden - Chief Technical Officer, Eseye

Contributors
Eseye
Eseye
Eseye empowers businesses to embrace IoT without limits. We deliver innovative IoT cellular connectivity solutions that help our customers drive up business value, deploy differentiated experiences and disrupt their markets.
Eseye empowers businesses to embrace IoT without limits. We deliver innovative IoT cellular connectivity solutions that help our customers drive up business value, deploy differentiated experiences and disrupt their markets.