We’ve been talking about it and seeing its influence in industry for years now, but the Internet of Things (IoT) has finally reached what we’d call a decisive period of its growth. In 2021, it was estimated that there were 10 billion active and connected devices, with an expectation that this will grow to surpass 75 billion by the end of 2025. This shows the overall IoT benefit is being felt, and it’s no doubt disrupting the enterprise and major industries as part of this, with automotive and manufacturing being two such examples.
Recognising the benefits connected devices can bring, from more efficient operations to greater productivity, is one thing. But recognising the security pitfalls of this technology is another, and it often gets overlooked. Now is the time for everyone – businesses and end-users – to take security seriously. Through data security policies such as GDPR, end-users have come to demand the highest protection when sharing their personal details online, and the same principle should guide the security protocols of IoT devices too. Threats will continue to become more sophisticated as the technology grows and hackers become adept at exploiting the weaknesses of the technology.
Getting the fundamentals in place
When enterprises connect a device to the internet, they’re not always doing so with the right amount of time invested in security. For example, when they download apps to their business phones to control the devices, they do so without reading the terms and conditions. As a result, businesses don’t fully understand where their passwords and other sensitive data they have been sharing across the IoT network is being stored. Or they are using devices without checking when they will stop receiving security updates – if they have any, or without ensuring they have a vulnerability disclosure policy or that external communication is encrypted. All of these factors lead to a network ready to be compromised by hackers.
All businesses need to learn how to best protect their connected devices, and it goes far beyond a simple password. When first adding a device to a network, it’s crucial for businesses to go through the settings and customise the settings to their exact needs. We often use the default settings for simplicity, but the approach might not fully protect the business’ data. For example, CIS Critical Security Controls – a prioritised path that helps improve a cybersecurity programme – gives users additional guidance on protecting their network.
An additional step a business can take is multi-factor authentication, which not all manufacturers implement, but this must change to prioritise security. Avoiding universal default passwords and minimising exposed attack surfaces will also help. However a business decides to protect their devices, it should be done as soon as the device is implemented into the network, as attempting to go back and retrofit security afterwards will always leave loopholes for hackers to exploit. A reactionary approach will undoubtedly have consequences, and governments are starting to become aware of this too.
Government collaboration
In 2022, we will see IoT security become a major focus for businesses and governments. The UK is one of the first countries that started working on such regulations, conscious of the interconnected risk that IoT devices can bring. Just recently the UK government announced The Product Security and Telecommunications Infrastructure Bill, which is a step in the right direction to mandating better cybersecurity practices for connected products.
This really could be the year where IoT moves away from poor security practices and ensures the technology is not a weak point of enterprises’ networks
Enforcement of the bill will only work if people abide by what is set out in it. Provided that the enforcement measures are up for the task, the bill will help to ensure that all products meet minimal cyber security products. With this, however, has to come the necessary punishments to ensure companies keep in-line. Another key aspect to consider is international parity. Like the UK, countries are developing their own laws to confirm the new legislation, and it is vital to ensure there is some level of standardisation. Finally, we cannot forget about the manufacturers. To avoid blocking startups and innovators as a whole, the UK will also have to deploy tools for companies to understand and be compliant with the new regulations. If all of these elements are addressed alongside the bill’s approval, then the UK will be in a strong position when it comes to IoT security.
As we look ahead to the rest of 2022, this really could be the year where IoT moves away from poor security practices and ensures the technology is not a weak point of enterprises’ networks. Back in 1988, the Morris worm was the first computer worm that gained significant mainstream media attention as it partitioned the internet for several days and left thousands of computers inoperable. It was because of this scandal that people began to take cybersecurity risks more seriously. The new UK regulation is attempting to remove this reactionary approach – and it is up to the IoT companies to heed this and take control of the situation, protecting the enterprise and its users in the process.
Gabriel Aguiar is Robotics Product Manager at Canonical. In this article, he considers the IoT tipping point.