How to overcome the IoT’s security and privacy concerns.
For all its vast benefits, the IoT can only be as effective as its security and privacy protections allow it to be.
There can be little doubt that the Internet of Things (IoT) offers a wide range of benefits to both organisations and consumers – from automation and predictive maintenance in industry, to fitness trackers and smart homes in the consumer space.
However, the benefits of IoT run counter to the growing concerns around the technology’s impact on privacy and data security. These devices tend to have more than their fair share of security issues, including a lack of encryption, weak default security settings, and a reliance on software that is vulnerable.
This can easily lead to unauthorised access, data breaches, and even large-scale botnet attacks, allowing bad actors to access sensitive data, hijack devices for malicious purposes, and exploit users in a multitude of ways, suggests Ross Hickey, CEO and Founder of Trinity, a leading local IoT specialist.
“Clearly, for the IoT to continue to deliver its enormous benefits, it has become imperative to utilise better security protocols, implement regular updates, ensure robust authentication, and undertake consistent regulatory compliance,” he states.
Key concerns
Describing some of the key concerns raised by IoT implementation, he points out that a key security challenge is the fact that there are no common standards among IoT devices.
“This lack of standardisation means it is impossible to implement common security standards. This lack of commonality creates inconsistencies and vulnerabilities that can be exploited by cybercriminals.”
“Another challenge comes in the form of third-party components - which may have their own vulnerabilities - being introduced into the IoT device supply chain. Furthermore, the majority of these devices operate invisibly, meaning the security teams that monitor the network may not be able to see them, in order to protect them.”
From a privacy point of view, continues Hickey, several issues are raised when leveraging IoT devices. For one thing, these collect massive quantities of personal detail – encompassing everything from the user’s location, to their health information and possibly even their behavioural patterns. If this personal data is exposed, it becomes possible for bad actors to undertake identity theft and commit financial fraud.
“Perhaps the biggest security threat posed by IoT is the fact that – due to their own poor default security – they can easily be compromised, with this then serving as an entry point for an attacker to move further into the organisation’s network and target even more critical information.”
Solving the problem
Much must still be done to solve the security challenges posed by IoT adoption, and perhaps the most effective approach is to leverage a multi-layered approach to security. This should include not only security-by-design, but also multifactor authentication and access control, as well as strong encryption for the data.
“Other security options to consider are secure network segmentation, continuous monitoring and patching, and user education on privacy risks and good cybersecurity practices,” notes Hickey.
“IoT security must begin with the device manufacturers and developers at the design phase, so it is built in, rather than tacked-on as an afterthought. Devices must be crafted to ensure they only collect data that is necessary, and they should be governed by privacy policies that clearly explain how the data should be handled.”
Data encryption needs to be end-to-end and protect the information both at rest and in transit, ensuring that even if intercepted, it cannot be used for nefarious purposes. Multifactor authentication, passwords that are complex and unique, and regular software updates are other ways to build a more robust security ecosystem.
“The networks these IoT devices use can also be secured more effectively by implementing secure communication protocols, and by leveraging digital certificates and public key infrastructure (PKI) for both device-to-device and device-to-cloud communications,” continues Hickey.
Administrator and consumer challenges
“Ensuring the immediate patching of vulnerabilities – the moment the manufacturer has provided such an update – and implementing strong security measures to protect the application programming interfaces (APIs) that connect IoT devices to web services, is also critical to maintaining security.”
He states that network and system administrators must consider isolating IoT devices on separate networks, to help contain potential threats from spreading, while they should also keep available a thorough inventory of the IoT devices, so they are always aware of what is connected, and where. As with any other IT-focused security measure, they must also constantly monitor both the network and devices for signs of malicious behaviour, or other unusual anomalies, and they should ensure a Zero Trust approach to network access.
“Consumers also have a role to play in IoT security, not only in terms of ensuring they use strong passwords and install security updates for individual IoT devices, but also by educating themselves as to potential security risks. They should read the privacy policies associated with their device, to properly understand the types of data being collected, and of course they should secure their devices physically, to prevent tampering.”
“In the end, properly securing the IoT ecosystem is the joint responsibility of all involved, so a collaborative effort from manufacturers, users, policymakers, and technology providers, is key. If we wish to truly leverage all the benefits of IoT, while significantly reducing the risk, we need to strike the delicate balance between embracing innovation and safeguarding personal data,” he concludes.
