Interviews

IoT technology

by Mark Rowe

Simon Trend, CTO and COO at the IoT connectivity product company Wireless Logic says that ‘you’re only as secure as your weakest point’.

IoT technology is a sector brimming with potential that has the capability to revolutionise a wide range of industries, especially when we consider the extent to which the world is becoming increasingly interconnected. The effect of covid-19 has increased the shift towards teleworking, and with it the swift adjustment of controls or changes to business processes has created gaps in security that can be exploited. In the case of IoT, the rapid increase in data fraud and advances in technology raise a number of questions surrounding security: what are the threats and vulnerabilities we should be aware of? How do we know our solutions are secure? And what are the steps that we need to take to minimise the risks?

Pre-empting threats and vulnerabilities

According to the recent 2020 Internet Organised Crime Threat Assessment from Europol, Social Engineering, Ransomware and DDOS are the top threats in both enabling cybercrime, and causing criminal damage to companies and institutions. The latter represents a particular challenge to IoT solution and network providers, through the size and complexity of device networks, and the potential attack surface that they offer. These threats are specific facilitators of malicious activity and require relevant controls and defences. Nevertheless, the root of any security vulnerability could be conceived at a much higher level.

Arguably, the biggest threat to a company investing in IoT technology is its own attitude and commitment towards security: a business is only as secure as its weakest point. More often than not, companies are left vulnerable to potential threats due to trivial oversights, such as weak passwords, poor controls, inadequate training or a lack of security awareness at the board table. As a result, it is always safer to assume that your business is not fully secure and that there is always more that can be done to improve safety standards. What’s more, in our experience, over 90 per cent of security attacks come through simple vulnerabilities such as failing to change default security settings for routers (at setup or after reset) or not locking down solutions to only enable the key network services that are required.

These gaps tend to come from simple process deficiencies in either not following established practices or deviating from them, both of which can be controlled simply by the attitude of the organisation towards security as core values and objectives.

For companies wishing to improve IoT security, the first steps could be:

1.Commit to security at the highest level
2.Implement a zero trust policy – assuming that nothing is 100 per cent secure
3.Consider the security implications of even the simplest processes – where some of the most rudimentary

How do we know our solutions are secure?

Many free providers of product vulnerability or attack information allow engineers or security professionals to quickly identify how their solution is affected. One example is to download a free IoT security assessment provided by GSMA, which provides up to 85 tips to help secure an endpoint solution or device. The UK CISP (Cyber Security Information Sharing Partnership) is also a trusted source of real-time security related information, that provides additional guidance to small and large businesses.

A good – and popular – step in fully identifying weaknesses within a business is to hire a company that will actively attempt to ethically attack and breach a network. Other methods include taking advantage of the free tools around email scamming. Ultimately, these tools add to the data and knowledge needed to mitigate security issues when handling IoT connected devices.

Steps you can take to minimise the risks

Invest in people and processes

As the main threat originates from the company’s own mindset towards security, it makes sense to invest in the people within your organisation, who understand the business and could benefit from training to handle data securely and build awareness of potential threats. The employee is sometimes left as the last line of defence when considering security controls and mitigations but should in fact be considered at every point in the process. Good companies listen carefully to employees who notice changes in behaviours or subtle errors in communications when identifying fraud or potential compromise.

The simplest and easiest way to do this is to appoint a senior leader of security matters and assign responsibilities clearly, whilst investing in formal security training and cross-company awareness programmes that continually improve and enhance the knowledge of all staff.

Armed with the right tools and processes, properly trained staff can significantly reduce the risks that stem from unprotected devices and new threats to the business. Certifications such as the ISO27001 can provide the reassurance that partner organisations are taking the issue of IoT security seriously, ultimately creating an ecosystem of secure data management and processing.

Standards and Services: additional layers of security

Ensuring all devices and solutions adhere to Secure By Design will provide fundamental layers of security that mitigates the risk of intrusion. Security By Design assumes that no device or network is 100% secure and that at some stage, a connected device or system could be attacked. For example, a key aspect within cellular IoT solutions is to implement fundamental secure networking to and from devices. First and foremost, opt for mobile devices that allow you secure and encrypted connectivity through a private network so that no security measures can be compromised. Secondly, using a private APN for connectivity will overcome a lot of vulnerability issues by keeping the data on private networks, and is a security measure that has been tried and tested. However, in order for mobile devices to operate safely in IoT, they must be both hardened to vulnerabilities locally and remotely, as well as being continuously monitored for unusual activity such as changes in location, two key considerations that solution providers need to keep front of mind.

IoT technology may have the potential to benefit many industry sectors, but security should always be a company’s first priority. IoT technology is constantly developing and business should be evolving and testing its own security to keep up with new and ever-increasing sophisticated hacking techniques. Having the correct mindset towards handing security, as well as identifying the weakest points is key to ensure all potential vulnerabilities are accounted for. Investing in your people and providing them with the right processes is critical, as IoT continues to advance.

Related News

  • Interviews

    School design

    by Mark Rowe

    The aesthetic and architectural design of a school building can affect productivity, learning and even security, writes Karen Trigg, pictured, business development…

  • Interviews

    Data destruction website

    by Mark Rowe

    S2S Group, the Rotherham based data destruction and Waste Electrical and Electronic Equipment (WEEE) recycling company has launch its new website. The…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing