The Internet of Things (IoT) has changed the digital world in ways no one could have imagined and its accelerated growth is continuing to surpass expectations. Statista.com predicts that IoT end-user spending will top $418 billion annually by the end of 2021.
With such quick development comes inevitable vulnerability and those motivated to exploit it by way of a cyber attack. With this in mind, there are some important issues in and around this that we should be mindful of to minimise the harm while still reaping the benefits of this technological revolution.
What IoT devices are at play?
The IoT incorporates a wider range of devices than you might think at first glance. The obvious devices that dominate the industry include smartphones, smartwatches and tablets but an increasing number of other products are being developed with IoT capabilities.
In the office environment, copiers, projectors, smartboards – even the office coffee machines are now equipped with the ability to send and receive data via the internet. This is allowing tremendous interconnectivity within the workplace resulting in some incredible efficiency gains.
The biggest gamechanger with respect to IoT in the home environment has, without doubt, been the voice assistants like Google Assistant, Amazon Alexa and Siri. Again, the efficiency gains and the convenience of being able to do things like confirm appointments, order groceries, schedule reminders etc on command (while potentially doing other things around the house) has transformed the way people run their lives.
But these aren’t the only household items with IoT capabilities in existence. Smart TVs, washing machines, dryers, refrigerators, security systems – even lightbulbs can now be found with built-in IoT capabilities and the growth in this area shows no signs of abating.
What data is being stored by IoT devices?
Before discussing the potential technical vulnerabilities of IoT devices, it’s important to understand what’s exactly at risk. In the main, the risk is data, both personal and commercially sensitive data depending on the context.
The type of data being created and stored by IoT devices is broad and wide-ranging. In some instances, the data will be merely command-based due to the basic functionality of the device at hand but in other cases, the IoT device will be akin to an information hub. This includes things like smartphones, tablets and voice assistants etc with data that contains personal details, private account details, emails, social media, photos and videos as well as potential login details to online banking and e-commerce accounts.
For work-based IoT devices, the type of data being stored can, as previously mentioned, be highly commercially sensitive. This includes not only the intellectual property of the company itself but the private data of the customers/clients the company is servicing. The loss of this data in particular means they could be liable for subsequent damages and face hefty fines from government data protection regulators.
Vulnerabilities – the risks and how to manage them
The vulnerabilities of these IoT devices are just as varied as the devices themselves and the task of managing these risks is a challenging and daunting one.
One of the main risks as a result of the growth of the IoT industry is the increase in the number of access points that hackers can target due to the increased number of connections to any one given network.
Different devices will have different types of security measures in place to counter these from sophisticated and robust to weak and vulnerable, depending on the standards set by the company behind the product’s development. These inbuilt vulnerabilities can also be further compounded by bad end-user practice such as using default passwords and the ignoring of patches and updates.
The attacks themselves can come in a variety of forms from hardware-based attacks targeting communication ports on motherboards to software based attacks exploiting bugs in operating systems, apps and other programs that are in use on the device. Communication protocols themselves like Bluetooth, NFC, 4G and so on are also not immune to being targeted.
The best way to manage these risks is to have (or pay cybersecurity specialists to keep) a detailed inventory of all devices in your network. This inventory should have the specifics of what built-in security mechanisms are set up, what versions of firmware/patches are currently installed, what the device can actually do (if taken control of by a hacker) and who has possession/control of the device if applicable.
By having this information at hand, you can see where the vulnerabilities are, when updates/replacements are required and who needs to be contacted if action is required.
The consequences of a user data breach
The consequences of data breaches can be devastating for both individuals and organisations as has already been shown in all too many examples.
For individuals, the consequences can include financial loss through bank and credit card details being hijacked. There can be a social cost when it comes to social media breaches and then there’s also the deep psychological toll which lingers with people having had their privacy invaded.
Organisations have also suffered huge financial losses as a result of data breaches, the figure for which has been growing every year for the last decade. The reputational damage can also cripple an organisation, especially when clients/customer data has been the target of a breach. With trust in security broken, many of those customers and prospective customers simply won’t risk their data being lost again once an organisation’s network security has been compromised.
The Official 2019 Annual Cybercrime Report has predicted that the cost of such cyberattacks will reach $6 trillion annually by 2021 which will make it the fastest growing form of crime on the planet.
How to react to a data breach
If you or your organisation are the victims of a data breach, it’s important to react as quickly as possible to the situation. Unfortunately, sophisticated and well-resourced hackers can infiltrate even the most ardent of defences which makes a post-data breach strategy essential.
The first thing that needs to be done is to assess exactly what and how much damage has been done by the data breach concerned. Without knowing this, an appropriate reaction becomes almost impossible. Knowing where the data breach has occurred will allow you to isolate that part of the network and block traffic to it.
Having thorough records of all affected parts of the network is important too as well as the measures taken to counteract these (like blocking/filtering traffic etc). Having a record of these actions will allow you to inform strategies for the future, a difficult exercise to do in retrospect if such notes haven’t been taken.
As cyberattacks are a crime, the data breach will then have to be reported to the relevant law enforcement officials upon whose jurisdiction it falls. Surprisingly, this step is sometimes missed as it perhaps doesn’t come into one’s thinking of a traditional crime but it is a vital one to follow. Law enforcement will have their own cybersecurity experts at their disposal who will quickly begin their own investigations.
Having informed law enforcement, it will then be your responsibility to inform any clients/customers whose data may have been compromised. You can expect an influx of communications from your customers as a result of this, so you’ll need to ensure you have staff on hand to receive and respond with the details they need to satisfy them.
Once the dust has settled, the final step will be to evaluate, understand and learn from the incident to prevent a similar attack happening again. Your notes and records taken earlier will greatly help in this respect. If you fail to learn and properly secure your networks after the result of a data breach, there is a great probability the same type of attack could happen again.
Protecting your users in the IoT world
As you can see there is a great number of things to take into consideration as a responsible provider and player in the IoT world. In doing so, you’ll protect your users to the greatest extent possible so you, and they can enjoy its advantages at pace and in keeping with the modern world.