The internet of things (IoT) has changed the way people interact with technology. When IoT technology emerged around 2008, no one could have predicted that smart refrigerators would become as ubiquitous as smartwatches. Over 20.4 billion connected devices will be in use by 2020. Consumers trust the internet with their health, banking, scheduling, grocery shopping, and more.
With statistics like these, it’s no surprise that many industries want to take advantage of this explosive trend. In fact, the global IoT market is poised to reach or surpass $318 billion by 2023. However, there is more to IoT than simply equipping a device with “smart” capabilities. Anything that interacts with an external network must be protected from unauthorized access. As a managed services provider (MSP), IoT devices mean more access points and potential vulnerabilities to consider within your customers’ organizations.
What is security in IoT?
IoT security is concerned with securing IoT devices and the businesses that run on them. Each IoT device is equipped with a unique identifier that automatically transmits data across the network. IoT devices require special security precautions because interacting with a largely unsecured external network leaves them vulnerable to cyberattacks.
Why is security important to IoT?
IoT security is important because many critical functions are entrusted to connected devices, and a sophisticated attack could easily lead to disastrous consequences. For example, on a smaller scale, hackers could gain entry to a smart-house by remotely disabling the security system. On a larger scale, hackers could gain control of utility grids and shut down electricity in a building or even a neighborhood.
The primary reason companies struggle with securing IoT is that in their rush to get IoT devices to market, IoT device vendors may forgo security. Building in IoT security protocols from the beginning would be expensive and more labor-intensive, plus it might compromise the capabilities consumers want most. As a result, companies are forced to deal with devices with fewer built-in security considerations.
Most IoT devices have password authentication and basic security protocols, but that’s not enough. Since IoT devices are so specialized in size, scope, and complexity, many standard PC security solutions won’t work. The methods of network security that MSPs and companies are most familiar with—like firewalls or intrusion software—are built for brick-and-mortar IT infrastructures, not necessarily IoT protocols.
Internet of things cybersecurity is also difficult to implement for five major reasons:
- Not enough resources to create a strong IoT security defense: Connected devices are often configured to execute one core process, and there just isn’t enough computing power devoted to securing IoT.
- “Set it and forget it”: IoT devices typically go unpatched and update once they are turned on.
- Lack of established IoT security standards: Without a formal infrastructure or framework, the security standards in IoT devices are left up to individual manufacturers.
- Reliance on default credentials: Connected devices only work out-of-the-box if they use stock credentials, which are easily guessed by hackers. Similarly, IoT devices are usually produced en masse—if you can hack one, you can hack them all.
- Long product lifespan: IoT devices remain in circulation for 15 to 20 years. Due to this long lifespan, they simply won’t be able to keep up with advancing security standards without updates.
For these reasons, IoT devices are often left undefended and are easily exploited by bad actors. Security researchers found that cyberattacks on IoT devices have jumped to 2.9 billion events per period so far in 2019, three times higher than in recent years. Some of these attacks are levied against the devices themselves, but cybercriminals are more likely to target lapses in IoT device security because they can be used as backdoor entry points into larger networks.
What should you do if you have IoT devices?
An IoT security solution’s primary functions should be to protect IoT devices from data breaches and cybersecurity attacks, establish secure communications, and ensure that firmware has not been tampered with.
Securing IoT devices can be challenging, but there are a few things every MSP should do in order to protect sensitive information and build customer trust. The following steps should be considered the foundation of IoT security best practices:
- Create a separate network: Set aside a private network that can only be accessed by authorized employees.
- Advise clients to choose complex passwords: When setting up security protocols for your customers, stress the importance of creating passwords that would be hard for hackers to guess or decode.
- Refrain from using Universal Plug and Play (UPnP): A UPnP tool makes it easier to automatically discover and connect with devices within a network. Unfortunately, hackers can piggyback on UPnP to gain access to more critical devices.
- Routinely track and assess devices: Know the location and status of all IoT devices at all times. Also, although the IoT trend is enticing and offers many advantages, MSPs and their customers should still carefully consider how many devices actually need to be IoT-enabled. Limiting the number of hackable devices you use limits opportunities for attacks.
- Engage in IoT security lifecycle management: MSPs should think of securing IoT devices as a continuous cycle. IoT security measures must be researched, implemented, updated, and analyzed frequently to keep up with ever-changing threats.
MSPs must also factor in risk of attack, associated costs of IoT security failure, and the up-front costs of implementing an IoT network security solution in their planning.
How secure are IoT devices?
The short answer is IoT devices are as secure as their manufacturers make them. All technology is vulnerable to cyberattacks to a certain extent, so it would be unfair to paint IoT devices as inherently less secure than their counterparts.
That being said, IoT devices are at higher risk of being hacked than smartphones or computers. Although connected devices frequently traffic in sensitive information, the everyday user doesn’t really consider their smart device a security risk.
To mitigate this risk, Congress recently reintroduced the Internet of Things Cybersecurity Improvement Act, which aims to make IoT devices more secure in the future by establishing IoT security standards. If it passes, any IoT devices sold to the US government must be patchable, secure, and configurable. Although this bill only covers government devices, it still shows a commitment to improving IoT security technologies.
When MSPs bring IoT security to the forefront of their customer strategy, their customers can then confidently focus on what IoT was built to do—analyze more precise data, improve the overall quality of service, and enhance customer engagement.
For more information about IoT security, read through our related blog articles.