printer friendly version

IoT needs access management

IoT is a digital enabler that enhances business value through growth and promotes a better customer experience in the commercial world, but also generally has a positive impact on daily living.

With any Internet device, there will always be an external threat. The threat of a device being hacked to gain network access and then pivot to another device until critical information is obtained. If your IoT devices are in the workplace, you may have issues that are different.

Devices such as printers that retain copies of scanned documents and, in some instances, have domain credentials, can become a significant risk. The more devices that are linked the greater the possible spread of the breach. There are many different use cases we can review, from light bulbs to air conditioners to electric blinds – all these devices have an operating system and require updates and patches. And if we access these devices wirelessly, so can a hacker.

The disruption of IoT devices can escalate from a minor incident to a mass scale disruption. Protecting access to control these devices is crucial if we are to ensure that administration accounts for them are locked down. These accounts must be treated as privileged and should have the necessary controls in place to isolate any one device in case of a breach attempt.

Data breaches are rapidly and alarmingly on the rise. IoT opens up even more avenues for this to happen. Typically, it all starts with password breaches to get into privileged accounts and then access the data. Last year, global research indicated that password breaches happen every 30 seconds – a frightening statistic.

Cybersecurity companies will always be advancing in this area to protect all devices on the network; unfortunately there is no failsafe solution. The greatest risk is acknowledged to be the insider threat and with IoT this provides a platform for large-scale automated attacks that can be devastating. Cybersecurity companies provide great advice on the preventative controls and I believe with a combination of tools and appropriate behaviour we can avoid a large number of IoT device breaches.

In implementing IoT devices, the principle of least privileged must be applied as well as security by design. This would mean accounts that access the device and its software will be restricted to specific functions only. This also applies to usage of APIs to reduce distributed denial-of-service (DDoS) attacks.

Logical and physical access has become more advanced than ever, although key issues are not being addressed. A lack of awareness and behaviour shows this. We need to promote the right behaviour in the workforce and educating them regarding cyber threats. In businesses, this usually emanates from the company leadership, but for the general population we need government to drive this strongly. IoT is growing, but unfortunately, we will not be ready for it until we can ensure everyone is playing his or her role and are au fait with the application of basic secure behaviours.

Share this article:

Further reading: