One of my favorite quotes from a past life: There is never time to do it right. But there is always time to do it again.
IoT is like that.
As businesses rush at breakneck speed to do something cool with IoT, they are repeating past mistakes and not considering security. Given that the “S”in IoT stands for Secure, think back to the early days of Windows 95 or maybe even Windows 3.1 . That is where we are in terms of IoT security.
According to a Digicert report:
Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years.
People who responded to the survey were broken into three categories:
- Top-tier: Enterprises experiencing fewer problems and demonstrating a degree of mastery mitigating specific aspects of IoT security.
- Middle-tier: Enterprises scoring in the middle range in terms of their IoT security results.
- Bottom-tier: Enterprises experiencing more problems that were much more likely to report difficulties mastering IoT security.
Every single bottom tier enterprise encountered an IoT security related incident in the last two years.
In general, those bottom tier folks were:
- More than six times as likely to have experienced IoT-based Denial of Service attacks
- More than six times as likely to have experienced Unauthorized Access to IoT Devices
- Nearly six times as likely to have experienced IoT-based Data Breaches
- 4.5 times as likely to have experienced IoT-based Malware or Ransomware attacks.
The reasons for those $34 million in costs?
- Monetary damages
- Lost productivity
- Legal/compliance penalties
- Lost reputation
- Stock price.
So, given this, what should you be doing?
Make sure that any device that you connect is being actively supported by the vendor with security patches and will be for as long as you plan to own the device.
Encrypt all data, but especially sensitive data.
Use micro-segmentation when designing the network. Isolate IoT devices from each other and from the rest of the network.
Since updates are likely done over the air via WiFi, make sure that it is done securely. Aruba, for example, was outed this week for using the same password to update the firmware on every device they shipped of a particular set of models.
Always authenticate actions. Don’t assume the bad guys won’t find you.
Design to scale up for what you think you might do in the future. It is much easier to design that way now then redesign it later.
These are just a few things to consider; there are many more, but do consider the matter before you deploy the devices.
Information for this post came from Help Net Security.