How IoT devices can leave your business open to cyber-attacks’


Businesses are using network connected devices more than ever before, with recent predictions estimating that there will be as many as 27.1 billion in use by 2021. These devices are known as the Internet of Things (IoT) and they are transforming the way companies operate – making them more productive, efficient and innovative.


IoT devices include everything from office equipment like printers, to modern white goods, and security systems, and despite all their benefits can present a major security risk. Each connected device in use is a potential entry point that a cybercriminal could seek to exploit.


One of the major reasons that IoT devices can be so dangerous is that they are designed with smart features rather than security in mind. The battle to get to market fastest means that there is often a tendency for manufacturers to overlook security, or fail to perform adequate testing.


Here are some of the issues with IoT devices that can leave your business vulnerable to cyber-attacks.


They are shipped with default passwords


It is the case that many devices are shipped with the same default passwords – and businesses make the mistake of not changing these. In fact, statistics show that almost half of IT departments do not change the default passwords of IoT devices that are connected to their organisation’s network.


One threat to exploit this is Mirai, a well-known IoT malware targeting devices such as routers and cameras shipped with the same out-of-the-box credentials.


They contain common software vulnerabilities


Many device vendors will licence software development kits for the chipsets that they use in their smart devices. While this can reduce costs, it does mean that when vulnerabilities are discovered, they are typically wide-ranging.


Another issue, due to the fact that the majority of IoT devices are small, is that the underlying source code is written in common languages such as C and C++, which are more susceptible to problems like memory leakage.


They are difficult to patch


Patching is crucial to ensure that IoT devices are protected against the latest security threats. However, many manufacturers do not patch their devices regularly enough – and some do not release patches at all.


Even when patches are available, organisations can struggle to install them. For example, it’s not always easy to take important devices such as medical equipment offline to install important updates.


They create data protection issues


Many organisations that use IoT devices leave themselves open to data protection failings. One of the key reasons for this is that IoT devices have limited on-board processing capabilities and rely on transferring data to the cloud for analysis. In specific relation to the GDPR, for instance, use of IoT devices creates complications around data processing, consent, the ‘right to be forgotten’ and breach reporting.


They may not encrypt data


One way that IoT manufacturers could improve data protection is through the use of encryption but unfortunately this is rare. A recent survey revealed that 40 per cent of IoT devices do not encrypt traffic, meaning a large number of devices could be vulnerable to man-in-the-middle attacks.


They suffer from poor authentication


Many IoT devices lack sufficient authentication mechanisms to prevent criminals from connecting to them. A recent example of this, is an insulin pump that lacked sufficient controls to stop someone from being able to connect wirelessly to the pump and change settings. In theory, this meant that an attacker could adjust the pump to deliver too much or too little insulin.


Improving your business’ IoT security


In order to better protect your business against IoT security risks, you need to take a multi-layered approach. You should start by conducting a full audit of your IoT devices, including carrying out vulnerability scans to establish whether devices are configured and patched correctly. If you are unhappy about the security of a device you should remove it from your network.


The next step involves segmenting devices to their own wireless network, away from your other assets. Penetration testing and proactive network and endpoint monitoring are additional safeguards that can help to further address and mitigate exposures.

To ensure we give you the best experience on our website we use Cookies. You can change your cookie settings at any time. However, if you continue without changing your settings we will presume you are happy to receive all cookies on the Sussex Chamber of Commerce website.