SECURITY SOLUTIONS TODAY29 Dec 2021
Three Simple Methods to Secure Your Enterprise IoT Devices
IoT
Views: 363

Contributed by Gary Gardiner, Head of Security Engineering, APAC & Japan, Check Point Software Technologies

The Internet of Things (IoT) has been a blessing for enterprises. It can make employees more productive and enable crucial business processes to run more smoothly, intuitively, and efficiently.

Yet, the same technology can also make your enterprise more vulnerable. IoT building-security startup Verkada is a clear example of this. It was hacked in 2021, exposing footage from over 150,000 connected surveillance cameras belonging to 95 customers.

This post will explore the most common use cases for IoT in the enterprise, along with some of the biggest vulnerabilities it creates. We’ll then explore three ways you can keep your IoT-connected enterprise productive while staying safe from threats.

The vast range of enterprise IoT

At this point in the game, it’s impossible to imagine giving up IoT, as it’s become a must in every enterprise environment. Most IoT technology in an enterprise setting falls into one or more of three categories:

  1. Smart-building technology: Elevators, thermostats, HVAC systems, smart-lighting hubs
  2. Smart office technology: Badge readers, cameras, routers
  3. Smart business technology: Conferencing equipment, smart TVs, smart boards, virtual assistants like Alexa

While these devices are certainly useful, they also create weaknesses in your carefully planned network security.

For example, in the Verkada breach, the hacked surveillance cameras gave the attackers inside views of facilities including prisons, schools, companies, and even car manufacturer Tesla. Verkada had previously claimed its systems were "virtually unhackable," yet investigations after the fact revealed a lax, unprofessional corporate culture that should have raised some red flags.

The Verkada breach is nothing unique; in fact, too many situations like this have recently come to light. The important message here is that you need to understand the innate flaws in IoT security so that you can take steps to protect your own enterprise’s sensitive data.

Why IoT is innately vulnerable

As the Verkada incident highlighted, IoT devices come with a few intrinsic flaws that make them unacceptable as a security risk:

  • Lack of standardisation creates a hodgepodge of devices
  • Weak security approach, including flimsy or nonexistent passwords
  • Outdated and unpatchable architecture, firmware, software
  • Larger number of devices expands the attack surface and opens up the possibility of a botnet campaign

As a result, it’s all too easy for hackers to gain access to these devices and either wreak havoc with the IoT devices themselves, or move laterally to harm mission-critical systems and steal the personally identifiable information (PII) of customers or employees, intellectual property, or other assets. Hackers may also gain control over the network and hold it for ransom. 

Their latest trick? Combining these strategies in double extortion attacks that promise even more lucrative payoffs.

In general, vendors build and sell IoT solutions based on functionality and ease of use, often rushing products to market to beat the competition without looking at the security big picture.

Originally, they may have assumed hackers wouldn’t bother with these "inconsequential" devices, but it’s clear today that there’s big money in ransomware and the sale of enterprise IP – both nightmare scenarios for most enterprises.

We’re not saying you have to stop using IoT in your enterprise. It’s too late for that. Besides, you don’t want to lose the benefits. Instead, let’s look at three simple ways to boost your enterprise’s IoT security.

How to properly secure IoT devices

As we’ve seen, IoT can be a weak link in your security. But that doesn’t have to be the case. Once you’re aware of the many issues surrounding IoT security, it can help to begin with a free IoT security checkup and assessment report, which easily detects and identifies devices connected to your network and analyses their associated risk. This way, you can start mapping out your enterprise’s top priorities when it comes to preventing attacks.

Beyond this, here are three best practices to follow to defend your organisation against attacks initiated through or by taking advantage of compromised IoT devices:

1. Smarten up your passwords

Most organisations use the weak default passwords that come with their IoT devices. That’s not laziness; it’s often hard to change the passwords both because of the sheer number of IoT devices you have to manage and because the interface is usually unclear or hard to use. Ideally, each device should have its own secure password so that even if an intruder gains access to a single device, their potential to do damage is reduced.

Buying tip: When investing in new IoT devices, make sure it will be easy to change passwords from time to time.

2. Apply all possible patches

IoT hardware comes and goes quickly. That leaves an uneven patching landscape in which manufacturers may go out of business or devices may reach end-of-life quickly. A software or firmware patch may be available for certain devices, especially now that a few high-profile IoT-based attacks have made the news and some manufacturers are smartening up and releasing patches.

Buying tip: When choosing new IoT devices, ensure that the manufacturer has built in a reasonably easy-to-implement patch capability.

3. Move toward Zero Trust

Many organisations today are moving toward a "zero-trust" model centred on the principle, "Never trust. Always verify." In this model, each user is verified before being given access based on the principle of "least privilege," i.e., only for legitimate business purposes. This can prevent lateral attacks even if an intruder breaches your network. Network segmentation is another way to block untrusted users from moving laterally through your organisation.

Buying tip: For all new IoT devices, make sure you choose products that can support a zero-trust network architecture.

Toward better, tighter standards

It’s no secret that most IoT devices represent security breaches just waiting to happen, and the landscape is changing. In December 2020, the United States passed the IoT Cybersecurity Improvement Act demanding better, tighter standards for IoT devices. This is an important step, acknowledging the serious threat these devices pose.

However, even important legislative actions like these are too late for most enterprises, as they are already using IoT from unregulated vendors. They may not even be aware of what IoT devices are in their environment.

Obviously, when you’re buying new devices, it’s essential to choose vendors you trust and that are known for putting security first. When it comes to the devices you already have, it’s not too late to secure them.

More News
Sidebar news
Motorola Solutions Opens New Experience Center in Gurugram, India
Apr 17,2024
Sidebar news
InnoEX, Spring Electronics Fair Boosts Hong Kong’s Tech Hub Status by Attracting 88,000 International Buyers
Apr 16,2024
Sidebar news
Smiths Detection Launches X-ray Diffraction Scanner
Apr 16,2024
Sidebar news
Axis Communications Launches Open Cloud-Based Video Surveillance Management Solution
Apr 15,2024
Sidebar news
Okta appoints new RVP for Greater ASEAN and Singapore Country Manager
Apr 05,2024
Sidebar news
Hexagon rebrands Qognify, reaffirming commitment to physical security
Apr 05,2024
Sidebar news
Appointment of Jerome de Chassey as President of Smiths Detection
Apr 01,2024
Sidebar news
InnoEX Sees Twofold Increase In The Number Of Exhibiting Countries And Regions
Mar 28,2024
Sidebar news
Visidon AI-powered Low-Light Video Enhancement selected to Hailo-15 AI Vision Processor
Mar 15,2024
Sidebar news
InnoEX and Electronics Fair (Spring Edition) in Hong Kong To Showcase Cutting-Edge Technology and Products for Smart Cities this April
Mar 14,2024