Contributed by Gary Gardiner, Head of Security Engineering, APAC & Japan, Check Point Software Technologies
The Internet of Things (IoT) has been a blessing for enterprises. It can make employees more productive and enable crucial business processes to run more smoothly, intuitively, and efficiently.
Yet, the same technology can also make your enterprise more vulnerable. IoT building-security startup Verkada is a clear example of this. It was hacked in 2021, exposing footage from over 150,000 connected surveillance cameras belonging to 95 customers.
This post will explore the most common use cases for IoT in the enterprise, along with some of the biggest vulnerabilities it creates. We’ll then explore three ways you can keep your IoT-connected enterprise productive while staying safe from threats.
The vast range of enterprise IoT
At this point in the game, it’s impossible to imagine giving up IoT, as it’s become a must in every enterprise environment. Most IoT technology in an enterprise setting falls into one or more of three categories:
- Smart-building technology: Elevators, thermostats, HVAC systems, smart-lighting hubs
- Smart office technology: Badge readers, cameras, routers
- Smart business technology: Conferencing equipment, smart TVs, smart boards, virtual assistants like Alexa
While these devices are certainly useful, they also create weaknesses in your carefully planned network security.
For example, in the Verkada breach, the hacked surveillance cameras gave the attackers inside views of facilities including prisons, schools, companies, and even car manufacturer Tesla. Verkada had previously claimed its systems were "virtually unhackable," yet investigations after the fact revealed a lax, unprofessional corporate culture that should have raised some red flags.
The Verkada breach is nothing unique; in fact, too many situations like this have recently come to light. The important message here is that you need to understand the innate flaws in IoT security so that you can take steps to protect your own enterprise’s sensitive data.
Why IoT is innately vulnerable
As the Verkada incident highlighted, IoT devices come with a few intrinsic flaws that make them unacceptable as a security risk:
- Lack of standardisation creates a hodgepodge of devices
- Weak security approach, including flimsy or nonexistent passwords
- Outdated and unpatchable architecture, firmware, software
- Larger number of devices expands the attack surface and opens up the possibility of a botnet campaign
As a result, it’s all too easy for hackers to gain access to these devices and either wreak havoc with the IoT devices themselves, or move laterally to harm mission-critical systems and steal the personally identifiable information (PII) of customers or employees, intellectual property, or other assets. Hackers may also gain control over the network and hold it for ransom.
Their latest trick? Combining these strategies in double extortion attacks that promise even more lucrative payoffs.
In general, vendors build and sell IoT solutions based on functionality and ease of use, often rushing products to market to beat the competition without looking at the security big picture.
Originally, they may have assumed hackers wouldn’t bother with these "inconsequential" devices, but it’s clear today that there’s big money in ransomware and the sale of enterprise IP – both nightmare scenarios for most enterprises.
We’re not saying you have to stop using IoT in your enterprise. It’s too late for that. Besides, you don’t want to lose the benefits. Instead, let’s look at three simple ways to boost your enterprise’s IoT security.
How to properly secure IoT devices
As we’ve seen, IoT can be a weak link in your security. But that doesn’t have to be the case. Once you’re aware of the many issues surrounding IoT security, it can help to begin with a free IoT security checkup and assessment report, which easily detects and identifies devices connected to your network and analyses their associated risk. This way, you can start mapping out your enterprise’s top priorities when it comes to preventing attacks.
Beyond this, here are three best practices to follow to defend your organisation against attacks initiated through or by taking advantage of compromised IoT devices:
1. Smarten up your passwords
Most organisations use the weak default passwords that come with their IoT devices. That’s not laziness; it’s often hard to change the passwords both because of the sheer number of IoT devices you have to manage and because the interface is usually unclear or hard to use. Ideally, each device should have its own secure password so that even if an intruder gains access to a single device, their potential to do damage is reduced.
Buying tip: When investing in new IoT devices, make sure it will be easy to change passwords from time to time.
2. Apply all possible patches
IoT hardware comes and goes quickly. That leaves an uneven patching landscape in which manufacturers may go out of business or devices may reach end-of-life quickly. A software or firmware patch may be available for certain devices, especially now that a few high-profile IoT-based attacks have made the news and some manufacturers are smartening up and releasing patches.
Buying tip: When choosing new IoT devices, ensure that the manufacturer has built in a reasonably easy-to-implement patch capability.
3. Move toward Zero Trust
Many organisations today are moving toward a "zero-trust" model centred on the principle, "Never trust. Always verify." In this model, each user is verified before being given access based on the principle of "least privilege," i.e., only for legitimate business purposes. This can prevent lateral attacks even if an intruder breaches your network. Network segmentation is another way to block untrusted users from moving laterally through your organisation.
Buying tip: For all new IoT devices, make sure you choose products that can support a zero-trust network architecture.
Toward better, tighter standards
It’s no secret that most IoT devices represent security breaches just waiting to happen, and the landscape is changing. In December 2020, the United States passed the IoT Cybersecurity Improvement Act demanding better, tighter standards for IoT devices. This is an important step, acknowledging the serious threat these devices pose.
However, even important legislative actions like these are too late for most enterprises, as they are already using IoT from unregulated vendors. They may not even be aware of what IoT devices are in their environment.
Obviously, when you’re buying new devices, it’s essential to choose vendors you trust and that are known for putting security first. When it comes to the devices you already have, it’s not too late to secure them.