Over the past few years, smart devices have proliferated rapidly. Traditional IT management brings some level of uniformity and predictability—there are only a certain number of workstations, servers, and mobile devices a team needs to manage. But with the sheer number of devices gaining chips—from watches to speakers to refrigerators—teams have to adapt their security approaches.
Today, we’ll cover some challenges and solutions for protecting customers from vulnerabilities in internet of things (IoT) devices.
What counts as an IoT device?
For the purposes of this post, let’s refer to anything with a chip that connects to a network as an IoT device. This includes such things as smart speakers, watches, refrigerators, doorbells, and thermostats—plus many more. Odds are many workplaces have these devices in them—just consider the number of people with smart watches tethered to their cell phones. But with so many workers shifting to working from home offices, the devices that could potentially compromise sensitive corporate information have increased in number.
Attacks on these devices can bring devastating consequences. Researchers have found that, “57% of IoT devices are vulnerable to medium- or high-severity attacks.” Many of these attacks can be the launching point for lateral movement that leads to further compromises on networks. However, this shouldn’t lead to fear—there are simple steps you and your users can take to address the security threats IoT devices present.
Tips for IoT security
IoT devices rarely get the level of managed monitoring most other devices do. However, making sure these devices don’t infect your customers’ corporate resources often only requires a few simple steps.
- Awareness: Most users are at least somewhat aware their computers can catch viruses. Fewer think of the security flaws inherent in IoT devices (until they see a service they use end up on the news). A simple reminder to your customers and their users can go a long way. Remind them that if it contains personal data or can be used to eavesdrop on them, it needs to be secured. The goal isn’t to scare people; you simply want them to be aware enough to take common-sense precautions to reduce their risk.
- Passwords: Password security is absolutely crucial for IoT devices. Make sure to set strong passwords for any devices under management and advise your customers and users to set strong passwords as well. Often, users may forget their smart thermostat has a web application that can be broken into, so remind them to think of locking down any devices that connect to the internet.
- Multifactor authentication: Most IoT devices have web portal pages, mobile apps, or both. For example, Wi-Fi enabled scales or blood pressure monitors might allow you to log in and track your biomarkers over time or even share this information with your doctor. This leaves potentially sensitive health information open to attack. Having users turn on MFA gives them an additional check in the event someone tries to break into their account.
- Mobile app permissions: We’ve mentioned both web and mobile applications, but this warrants its own discussion. Like any other mobile application, users should be wary of giving the app too much access. A smart thermostat doesn’t necessarily need to track your location, for example, or have the ability to read/write to social media accounts. Remind users to be careful of the access they give to applications.
- Segment your network: The other tips rely on users pitching in and remembering to do the right thing. But you can still take steps to avoid needlessly exposing your customers’ networks. If there’s a device you can’t manage, put it on a guest network and only allow approved devices and users onto the main network. This can help prevent an IoT device from being the entry point toward your most sensitive data on the network.
- Update: All devices need to remain up to date with the latest software and firmware. You can handle this yourself for any managed devices, but it’s worth impressing the importance of this practice on your users as well.
- Keep your other layers strong: IoT devices are only one part of your ecosystem. Make sure to keep strong layers on other elements—from patching to endpoint protection to email security. Additional devices do give criminals extra access points, but the fundamentals still apply.
Protecting the internet of things
IoT devices are nothing new. Each device can have its own intricacies and levels of security. However, despite the added complexity you can still protect the wider network and company data with a few simple steps.
We mentioned the importance of password security in this article. As the number of devices and application grows, maintaining strong passwords can quickly become hard to manage. SolarWinds® Passportal is built to help you enforce password best practices across your own team. It can help your team automatically generate strong passwords, gain one-click access to accounts, and can even let you quickly grant or revoke access as needed. Learn more by visiting passportalmsp.com.