• United States




IoT for its own sake is causing needless security headaches

Jan 23, 20185 mins
Data and Information SecurityInternet of ThingsPrivacy

CSOs should carefully consider whether every IoT device is necessary, or if the benefit versus risk balance is incorrectly weighted.

Internet of think with padlock showing security
Credit: Thinkstock

Imagine starting the working day by activating the lights via a mobile app, swiping your desk to log in and remotely firing up the coffee machine. For many, this futuristic fantasy is reality as the Internet of Things (IoT) gains popularity.

But is such hyper-connectivity a good thing?

Companies are excited by the potential of IoT to streamline operations. By 2020, more than 7 billion business devices are due to be connected: equal to 10 corporate devices for every person on the planet; yet smart tech does not always add value. By using the IoT for its own sake and connecting everything to the web, companies are building numerous — and possibly weak — links in the network chain that could pose a threat to cyber and physical security.

CSOs have a tough task. Managing the IoT successfully means a careful balance between the efficiencies connected gadgets offer versus the risks they bring.

Risk and reward: is the IoT worth it?

To keep up with digital transformation, companies are spending ever-expanding budgets on connected devices. In fact, within two years, the value of the B2B IoT market is expected to reach almost $1.5 trillion.

On the one hand, this enables the needs of increasingly mobile workforces — especially remote employees — as greater connectivity can fuel productivity. Take, for example, the use of interactive touch walls to enable better concept creation, or smart desks to highlight when individuals should take rest breaks for optimal long-term performance. However, this can also threaten network safety. 

Let us explore the top two danger areas: 

1. Service disruption

Companies often invest in the IoT because it enhances operational efficacy at scale. For instance, use cases might include the adoption of intelligent shipping containers to avoid wastage of perishable goods, IoT monitoring that aligns manufacturing activity with demand, and smart grid technologies that control core utilities such as electricity, gas, and water.

But the problem with making services dependent on IoT is that it amplifies the impact and reach of cybercrime. By exploiting a single vulnerability, hackers can bring entire transport, energy supply, and food delivery systems to a halt. 

We do not have to look far to find an example of how damaging such attacks can be: the Mirai botnet attack. Launched in 2016, Mirai was the largest denial of service (DDoS) hack in history — taking down several major websites, including Twitter, CNN and Netflix, and proving that devices performing basic functions can become a gateway for attackers. After all, the crux of Mirai was malware that identified and infected a range of common IoT devices and turned them into a springboard for infiltrating bigger systems.

More recently, it has been discovered that IoT flaws can affect security in the real world too: late last year, research revealed gSOAP — code used in multiple security cameras and access card readers — can be hacked; allowing criminals to disable and control devices.

2. Data privacy

Data is the driving force of IoT devices; allowing them to communicate with each other and enable joined-up delivery of services. But the sensitive insights they gather about companies and customers make them a prime target for criminals, and a vast data security risk, if not adequately protected.

For example, healthcare manufacturer Philips was recently caught off-guard when a customer highlighted that its DoseWise Portal — a web-application that tracks radiation doses using portable devices – contained vulnerabilities. By exploiting errors such as unencrypted patient credential storage, a hacker could enter the system and obtain critical personal data. Moreover, this issue extends far beyond medical gadgets; in 2016 Blackberry discovered that even a tea kettle could be a vehicle for tapping into company communications, when linked to its network.

Addressing the pitfalls of IoT

With the potential to jeopardize network security, data, and physical assets, it is clear that all IoT projects should be scrutinized ahead of implementation. Indeed, IoT precautions are so crucial they have come to the attention of the Senate.

Last summer, a bipartisan group of Senators proposed a new bill — The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 —  created to introduce a minimum standard for any connected device the government purchases. More specifically, the bill contains strict rules for vendors; including requirements relating to removal of known vulnerabilities, simple patching of devices, breach notification, and adequate data encryption.

Nevertheless, while checking devices at the point of manufacture is undoubtedly a wise move, it is not enough to keep IoT tech secure. The fact is: modern networks are too fragmented, vast, and edgeless for all threats to be eliminated before they reach the fence — so, even if devices are clean when they leave the shelf, they could still be infected if and when hackers break in.

Consequently, there is a need for CSOs to shore up their internal defenses with a model that focuses on detection as well as prevention. By deploying a platform that continuously monitors every device in company networks to identify hackers who have already made it over the wall, CSOs will significantly increase the chances of stopping attacks before they are launched. Not to mention saving resources formerly allocated to running different security systems for every device type, from mobile to PC, that frequently fail to halt threats.

None of this, however, is to say that IoT equipment does not have advantages for businesses. According to some estimates, the industrial IoT alone could contribute $14.2 billion to global output by 2020.

Rather, the key point is that CSOs should carefully consider whether every IoT device is necessary, or if the benefit versus risk balance is incorrectly weighted. Only after assessment of costs, hazards, and benefits, should IoT devices get the green light — and, after that, they must be constantly analyzed by detection tools, to ensure any hackers that infiltrate them do not have the opportunity to do any harm. That includes the smart coffee machine.


Kirsten Bay is President and CEO of Cyber adAPT, a Gartner 2017 Cool Vendor.

Throughout her 25-year cyber security career, Kirsten has sat on a United States congressional committee developing cyber policies, initiatives and recommendations for the intelligence community. She has also collaborated on information studies for MIT-Harvard and several federal agencies. In the UK, she has contributed her insight to a parliamentary subcommittee on recreating trust in the global economy.

Kirsten founded Cyber adAPT in 2015. Cyber adAPT secures every segment of the digital enterprise, finding more attacks more quickly than alternative approaches. Its patented detection platform, skwiid, monitors network traffic in real-time, detecting threats between mobile devices, IoT connections, cloud services, and the core network.

The opinions expressed in this blog are those of Kirsten Bay and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.