The Internet of Things is a new frontier. Projected to surpass 50 billion objects by 2020 with the potential to boost the global GDP by $142 trillion, the Internet of Things (IoT) offers private consumers the ability to create app-controlled smart homes and offers businesses unprecedented access to real-time operational data monitoring, collection, and analysis. With the ever-evolving, demand-driven industry of IoT devices, technologies are being introduced faster than they can be protected.
For individual consumers, IoT security breaches have the potential to violate privacy, reveal personal information, and generally terrorize unsuspecting people by manipulating their home devices. On the industrial or business side of the IoT, the threat of a hack presents far more widespread consequences. Unsecured IoT devices present a perfect opportunity for hackers to wreak havoc by compromising operational and/or safety data being tracked by IoT devices, causing a distributed denial-of-service (DDoS) incident for customers (like the October 2016 Internet Outage), and accessing, compromising, or ransoming financial systems and data by using connected IoT devices to infiltrate the corporate IT firewall. It is becoming increasingly clear to private consumers and businesses that more focus should be dedicated to securing the IoT.
Manufacturers and consumers have focused on ease-of-use over security. The vast majority of IoT devices are designed with ease-of-use as the first priority, which traditionally means security must take a back seat. In the name of ease-of-use, many of these devices do not require a username and password reset at the time of setup, relying instead on a manufacturer-provided default username and password. These devices will remain actively connected to the internet without additional credential input indefinitely. These default settings are about as secure as having no password at all.
IoT devices often fall outside of the corporate IT cybersecurity structure. IoT devices are typically categorized as operational technology and therefore are managed by Operations departments. They are often excluded from the corporate IT strategy. When employees connect unsecured IoT devices to company-provided workstations, they inadvertently provide hackers a direct portal into a company’s secured IT environment.
Physical security is often impractical. In traditional IT security, physical security is one of the basic tenants. IoT devices may be spread all over the world, on oil rigs, or on remote sites, making isolation impossible. By nature, IoT devices are easily accessible, residing in common operational areas of businesses or common living areas of homes.
There is currently no “McAfee” equivalent. The average internet user knows it would be reckless to leave a computer vulnerable without the protection of antivirus software. However, this type of software has yet to be developed for most IoT devices. This means that not only are most of these devices unprotected, but that they’re also unmonitored. Devices could be hacked, and the end user would never know unless the hackers make their presence known. A potential solution would be for each manufacturer to develop security software for its own devices. But the IoT is made up of thousands of devices by thousands of manufacturers, and these companies do not have the expertise or motivation to develop this kind of software.
Inevitably, sufficient security measures will be developed, but these developments will take time. Until then, here are several ways consumers and companies can keep hackers at bay:
- Set strong usernames and passwords. The easiest way to secure IoT devices is to change factory default credentials to a strong, unique username and password. Some devices are difficult to change, and some offer no credential change functionality. If a device does not appear to offer a credential change option, contact the manufacturer to be sure. If in the market for a new IoT Device, the ability to change credentials should be a critical measure when choosing between products.
- Bring IoT Devices under the responsibility of IT. While Operations will remain the primary end users of industrial IoT devices, the security of these devices must be included in the corporate IT cybersecurity structure. Whenever possible, bring IoT devices behind the corporate firewall and ensure that IT tracks and deploys any updates provided by device manufacturers.
- Educate employees/users about IoT security. As in general cybersecurity, the greatest defense against hacking is a well-educated user base. By informing employees/users about the threat of IoT hacks and how they can prevent them through proper device setup and use, companies can minimize the risk of a hack occurring.
- Prioritize increased security features. End user demand will drive manufacturers to improve security features and software companies to develop an antivirus program for IoT devices. As long as consumers continue to purchase devices with no regard for their security, manufacturers will continue to produce status quo. If currently owned devices offer insufficient or no security features, consider upgrading to something newer and more secure. Consumers should continue to voice their security concerns in the marketplace, and when in the market for new IoT devices, it’s crucial to treat cybersecurity as a top priority.
As the technology community begins to unravel and understand the concept of protecting vast amounts of personal data, IoT users must remain vigilant about securing their own devices. Increasing dependence on internet-connected objects makes securing them a top priority. While alluring, the new frontier of the IoT could leave many people vulnerable.