According to a recent study from Ponemon Institute that surveyed 16,450 IT and IT security professionals working in mobile and Internet of Things (IoT) security, only 30 percent of respondents said their organization dedicates an appropriate amount of budget to secure mobile applications and IoT devices. As the number of IoT endpoints skyrockets, this low attention to security is a significant concern. While the data generated by IoT devices can create great value for businesses, it also represents a growing treasure trove for cyber criminals.
You can reduce your exposure to IoT security risks by following the best practices discussed below:
If security is not prioritized in the initial design, it will be more difficult to integrate later in the process. Identifying potential threats early in the design stages allows you to proactively reduce liabilities and be better prepared if a breach occurs.
As you are building an IoT application, weave security into every aspect of its design. Assign at least one member from the development team to be focused on security, and, if possible, have that person complete an industry-standard security certification. Also, establish protocols for internal security and regular testing, and update future guidelines based on those findings.
Many IoT devices transmit some degree of confidential or personal information. Some examples include patient information (in the health-care industry), credit card numbers (for retailers) or Social Security information (with financial services organizations). Data encryption changes information so that it is unreadable to threat actors that may be eavesdropping on the connection.
To sufficiently protect data in transit, at a minimum it is critical to deploy a site-to-site VPN tunnel from the IoT operator network to the back-end server's network. Doing so enables encrypted data transmission across the most vulnerable segment of the network path. That said, even under the assumption that the VPN tunnel is between two trusted networks, it is still important to use controls for strong authentication on the endpoints should a device or the channel be compromised.
Your network is only as secure as your weakest partner or link, so make sure each link meets or exceeds your security standards. A vast number of IoT applications rely on cellular connectivity, and this often involves three network connection partners:
• The mobile network operator (MNO)
• The IoT network operator
• The internet service provider (ISP)
If any of these third-party network providers do not meet security requirements, your data is at risk. It is crucial to vet partners to ensure they employ the most up-to-date protocols and technology, so be sure to conduct due diligence regarding proficiencies in the following areas:
• Intrusion prevention systems (IPS)
• Distributed denial-of-service (DDoS) defense systems
• Security patch and update processes
• Firewall models
• Real-time network operations monitoring
• Incident response
Who can access your data and systems? In some instances, confidentiality is far less important than access control. An example use-case is an IoT application that locks or unlocks your car door; no confidential information is being shared, but you would not want unauthorized parties to access this system.
Understanding who has access to your data or systems is not always as easy as it seems. Employees may leave the company, be promoted or transfer to other divisions, but often retain access rights that should be changed or discontinued. It is critical to make sure privileges are up-to-date to avoid unauthorized access, whether unintentional or otherwise.
Do you know when a security breach has occurred on your network or IoT device? If so, how soon will you be notified? Even the strongest preventive security systems aren't foolproof. Statistically, every organization will likely experience a security breach of some degree, regardless of precautions. The key is shrinking potential damage to its least liability. Early detection of an event allows for a quicker response, thus reducing the risk of malicious use.
When a breach occurs, time is of the essence. As soon as something goes wrong, you should know about it—every minute that passes can be costly. Make sure that back-end applications have the ability to log abnormalities. Partnering with an IoT network operator that provides alerting tools for fraud detection and prevention can give you more rapid insight into potential problems. Your internal teams should also monitor data logs and create automatic alerts for signs of compromise for an extra layer of security.