With the rapid adoption of the Internet of Things (IoT), we are moving towards an entirely interconnected world, from smart organizations to smart cities. No one can dispute the power that IoT presents, but with it brings an unprecedented cybersecurity challenge. Therefore, its deployment needs to be strategically thought out together with wide-scale collaboration, responsibility, openness, accessibility and most of all trust between all relevant parties – vendors, systems integrators, consultants, IT departments and cybersecurity specialists.
As we become more and more reliant on web-based services and connected devices, we run the risk of making ourselves more vulnerable, particularly if we fail to recognize the importance of cyber-security in relation to the IoT.
Connectivity means vulnerability
Having doubled in frequency, 2017 was the worst year in terms of ransomware attacks and with barely a week going by without a new breach hitting the news, the trend isn’t set to slowdown. One of the first high profile examples was the major US retailer Target dating back to 2013. Over 100 million customers were affected, costing Target an estimated $300M to date. The attack occurred when an HVAC (heating, ventilation and air-conditioning) system was compromised, allowing hackers to steal sensitive personal customer data.
As part of both public and private networks, connected devices are becoming increasingly interconnected to facilitate their management, speed up communications and increase data sharing. However, the last five years has seen a proliferation in the availability of cyber hacking tools and cybercriminals have become wider-more spread and sophisticated. Without adequate security, these connected devices provide a gateway into personal, corporate, and governmental networks where confidential data can be stolen or vicious malware can be planted.
Cybercrime is more of an issue now than ever
Whilst interconnectivity is inevitable, as I’ve already indicated, there are risks we have to be aware of and stay vigilant against. Many incidents occur on unsecured networks, exploiting devices lacking basic cybersecurity features. The speed at which these unprotected networks and devices are being hacked is increasing. An easy example of these types of cyber-attacks involves those of vehicles with keyless entry. Back in 2017 it took thieves less than 30 seconds to intercept unencrypted communications between a car key fob and the car before it was driven away from the unsuspecting owner’s driveway. A further example of the speed at which systems can be hacked and compromised is when a fake web toaster was put online with open web ports on an unsecure network. It was found in less than one hour which just shows how easily these devices can be pinpointed and violated.
Whilst companies may recognize the importance of cybersecurity, in practice they are still not vigilant enough in regularly reviewing and enhancing industry security standards and practices to protect both themselves and their clients in an increasingly complex and threating environment.
Small medium businesses (SMBs) are considered fair game by cyber hackers, and according to IBM, 62% of all cyber-attacks—about 4,000 per day—are on SMBs. These attacks occur based on a number of contributing factors—organizations continue to add devices and systems to their networks and have poor bring your own device (BYOD) policies. Services are frequently outsourced to reduce costs, and they often solely rely on installers to deploy effective security practices, making them ‘soft targets’ to exploit.
What measures can you take?
When choosing an IP-based security solution, the customer must scrutinize and evaluate the vendor’s cybersecurity policies—what are their principles and practices? Do the built-in security mechanisms offered in their solutions use multi-layered encrypted communications, data protection capabilities, and strong user authentication and password protection? These measures help protect your organization and your customers against malicious attacks. They also ensure only those with defined privileges will be able to access or use resources, data and applications.
Interestingly, in May this year, IBM banned staff using any removable memory devices such as USB sticks, SD cards and flash drives as an extra layer of security. This follows in the footsteps of several other security conscious organizations, including my own.
If the unfortunate happens and a data breach does occur, then the recovery and settlement costs have the capacity to reach hundreds of millions of pounds. And the damage to the affected company’s reputation is often irreversible. The National Cybersecurity Alliance found that 60% of small companies are unable to sustain their businesses beyond six months following a major cyber-attack.
That’s why as the IoT gains momentum and data laws evolve, it will become critical to strengthen cybersecurity policies for all systems, including physical security solutions, which is more than just providing cybersecurity features. For companies to combat the cybersecurity challenge, there needs to be a true and trusted integration between cyber and physical security and a shared responsibility and partnership between all parties involved.