Five first steps firms can follow to bolster IoT security
The Internet of Things (IoT) is one of today’s most promising business technologies, but it carries some unique risks.
IoT devices are infamous for lacking built-in security measures. According to cyber security vendor SonicWall’s latest Cyber Threat report, there were 57 million IoT malware attacks in the first half of 2022, a 77% increase over 2021’s figures.
Legislation in the works, such as the UK’s Product Security and Telecoms Infrastructure Bill, is aiming to make these devices more secure. And, in time, the industry will adapt to produce more secure devices as the IoT’s security shortcomings become more widely publicised.
Until this happens, however, and even after, enterprises must ensure they follow cyber sec best practice to minimise vulnerabilities.
To start with, these five steps to keep your organisation’s IoT systems and any data it works with secure, are recommended.
Implement stronger access controls
Many IoT devices ship with weak default passwords, so changing these is one of the most important steps in securing the IoT. You should use a complex password that you don’t use on any other device or account. Regularly changing them is also a good idea.
Of course, even a strong password is still not 100% effective at stopping intrusion. Consequently, you should enable multifactor authentication (MFA) if available on your IoT device. This extra verification step will only take a second more when accessing an endpoint but ensures a cybercriminal can’t get in even with a stolen password.
If an IoT device doesn’t have an option for MFA, you can use a third-party app like Google Authenticator, Microsoft Authenticator or 2FAS. Be sure to also apply these steps to your router and not just the connected IoT devices
A reliable way to secure IoT devices is to separate them from other endpoints. One of the IoT’s biggest risks is that its connectivity can let attackers jump between devices on the same network after breaching a weak link. This lateral movement can turn a smart camera with minimal built-in protections into a gateway to your computer with sensitive data.
You can prevent these threats by segmenting your network. Many routers let you set up a guest network, and you can use these to host your IoT devices while running everything else on your main one. This segmentation ensures that if a cybercriminal breaches one device, they can’t use it to access everything else in the building. That won’t necessarily stop breaches, but it minimises their impact
Disable unnecessary features and connections
Another way to minimise lateral movement is to limit what each IoT device connects to. Interconnectivity is helpful, but not every endpoint needs to communicate with all the rest. Disabling these unnecessary connections will effectively shrink your attack surface.
Businesses should also review their partners’ and third parties’ access to their IoT devices. According to Agio, an IT and cyber security managed service provider, just 37% of companies in 2020 tracked third-party IoT exposures, leaving them vulnerable to massive supply chain attacks. Always review your connections and access permissions and restrict them as much as possible.
Similarly, disable any device features that your organisation doesn’t use. Voice control, auto-connect and remote access are common IoT features you may not need that are best left off if you don’t actively use them.
Encrypt IoT traffic
Encryption is another critical step to secure IoT devices. A 2020 threat report by Palo Alto Networks and Unit 42 suggested that 98% of IoT traffic is unencrypted, leaving the data traveling between these items vulnerable to man-in-the-middle attacks. Thankfully, the solution to this vulnerability is straightforward.
Many IoT devices come with an option to encrypt their signals, but it may not be on by default. Double-check all IoT endpoints to ensure you use the highest encryption standard available.
You can enable encryption from your router if your IoT systems don’t have built-in tools. Set the router to WPA2 or WPA3 if available. Hardware that doesn’t support these standards isn’t sufficient for today’s cybersecurity needs.
Keep your devices up to date
A simple but essential step in IoT security is updating all endpoints. New IoT software vulnerabilities emerge regularly, so developers frequently push out patches and updates to account for these newfound risks. However, many businesses overlook updating their firmware, leaving their devices vulnerable to known attack vectors.
The easiest way to avoid this oversight is to enable automatic updates when available. However, not every system has an automatic update feature. In that case, set a firm schedule to check for and install them yourself.
Regular updates apply to your Wi-Fi router and any security software you use. Businesses should assign specific employees to check for these updates at times to hold people accountable for any oversight in this area and minimise the chances of overlooking it.
Subscribe to our Editor's weekly newsletter