The Internet of Things (IoT) has grown by leaps and bounds in just a short amount of time. With the creation of everything from smartwatches to Internet connected washing machines, more and more appliances and electrical devices now connect in some shape or form to the Internet. These devices can do everything from boosting company's productivity, slashing overhead and reduce energy spending within a home. The possibilities are endless with what can be done and businesses are expected to find new ways to use IoT devices over time. However, IoT devices may provide a backdoor into a corporate network for skilled hackers and cyber criminals. The weakest link defines the strength of network security and often times this weak link lies within an Internet of Things connected device. Understanding the impact of IoT on cybersecurity should prove essential for any enterprise, as while being hacked through a security breach in a light bulb may sound humorous, it is no laughing matter when confidential information and client financial documentation leaks through this hack.
Brief Overview on the Internet of Things
The Internet of Things is any inter networking of a device that connects to the Internet in order to exchange data. This covers a wide range of devices, spanning from watches to computer programs, hardware sensors and a host of others. In modern terms, IoT devices are often called "smart" devices. So a smart phone, smart watch or anything else with the tag "smart" on the front end of it generally is part of the IoT category.
Modern IoT has greatly evolved over the last year, as the Internet of Things now not only covers a number of unique devices, but many of these devices communicate in real time, provide in-depth analytical information and often learn on the fly. IoT dates back to the early 1980s, when researchers at Carnegie Mellon University created a vending machine connected to the Internet. The vending machine could relay information back upon request, indicating its stock, needed inventory and the current temperature of stored beverages.
Very little progressed in the early stages of IoT as the Internet itself remained in its infancy and wireless Internet proved illusive on a consumer grade scale. However, by the late 1990s, the concept of IoT began to pick up steam and now, according to research performed by Gartner, Inc (2015), nearly 21 billion IoT devices will be in the marketplace by 2020.
The Three Categories of IoT
Just about any piece of technology that connects to a network (or cloud), provides and receives data falls under the IoT umbrella. However, the Internet of Things should realistically be broken down into three different smaller categories as not all devices are the same. After all, a router is far different from an Internet connected toaster oven. The three categories are: information technology, operational technology and smart objects (Cisco, 2015).
Information technology helps connect IP devices. This includes a wide range of devices, such as firewalls, mobile devices, printers, switches, routers and data center infrastructure.
Operational technology automates, controls, processes and monitors a network and includes hardware such as a programmable logic controller, process information systems and supervisory control and acquisition systems.
Finally, the last category is smart objects. These devices report information and/or receive commands. This includes sensors and actuators. With built in sensors, this category can also include everything from smart thermostats to smart refrigerators and coffee makers.
The Potential Cybersecurity Risks of IoT
The Federal Trade Commission doesn't generally interfere with the technological usage of companies within the United States. From time to time the government agency does issue recommendations, but for the most part, as long as technology has received approval, a company can utilize the tech as it sees fit (within established, legal parameter). However, according to Wired (2015), the FTC did put out recommendations for companies using IoT devices in order to ensure the privacy of the American consumer.
In the report, the FTC covered the sheer volume of Internet connected devices, stating a total of 25 billion objects (including computers) had the ability to connect to the Internet and collect, share and distribute data as programmed (this as of 2015, so the number has increased in the last two years). By working with industry leaders within the varying technological fields manufacturing IoT devices, the FTC created a security checklist for companies in order to boost security and safeguard the information it collets from consumers.
According to the FTC, companies should build security directly into IoT devices before implementing the hardware into the system. This way, instead of building security around the device, almost as an afterthought, the security is sound and can be tested ahead of time. This reduces the chance of possible misses in the firewall and security settings. When new hardware is brought into the fold it often becomes the target of hackers attempting to poke and prod for weaknesses. If security is not stable and sound out of the gate, it may open the entire network up to the outside. As Hewlett-Packard Enterprise (2014) uncovered, nearly 70 percent of all Internet of Things devices are vulnerable to external attacks, which simply outlines the need to build security into the device instead of around it, after the fact.
Security Protocols to Take to Reduce Potential IoT Cyberattacks
With such a high percentage of IoT devices posing possible security threats, identifying proper measures for safeguarding the technology and the network it connects to is vital. According to the same FTC report (2013), the agency recommends using a "defense-in-depth" approach. This means, instead of releasing patches for the vulnerabilities of the device, an enterprise and IT department must have some security measure in place.
To produce the "defense-in-depth" security measure, a company needs to first understand the device, how it works, how it connects to the network and pool over it for possible flaws and security issues. From there, essential firewalls and security systems must be written for each device. Consumers using personal IoT devices should receive timely patches to correct potential flaws on their side, while employees must receive appropriate training in how to use the Internet of Things devices and what sort of security measures must be taken in order to protect the corporate network.
Limiting the collection of data can reduce the chance of external threats hacking in and gaining access to the information. The creation of the cloud helped commercialize IoT devices, but it also put the hardware at a greater risk due to the continual data communication between device and cloud. For a business collecting data, it is vital to not lump all devices into a single category and create blanket security measures. While better than installing patches after setting up the IoT hardware, it still leaves cracks in the security wall.
The IoT has the ability to greatly improve your company productivity, cut expenses and drive future projects for nearly every department. However, it is all for not if proper security measures are not taken to safeguard these newly minted Internet access points. Internet of Things may only make up a small percentage of data usage within a network, but every point of entry needs specific and often unique cybersecurity in place. When considering the implementation of any new IoT hardware, the impact on not only the company's bottom line but also potential cybersecurity risks must all be considered.