October marks the 15th annual National Cyber Security Awareness Month (NCSAM). What began as a collaborative effort between government and industry has possibly never been more relevant than now, serving as an apt reminder to us all to not only be more conscious of cybersecurity threats, but how we as individuals and businesses can proactively mitigate cyberthreats.
This week’s theme is all about making the home a haven for online safety. Once a notion probably not even considered by most parents, in today’s world, traditional safety practices like road and stranger dangers have expanded to include knowing how to use the internet safely and responsibly, and ensuring that networks and mobile devices are secure. In this regard, learning online safety and privacy life lessons from an early age is imperative.
With this in mind, and considering that IoT pervades pretty much every aspect of our business and personal lives, we take a look at which smart devices could be a security worry, and some security best practices that can help protect homes and businesses against cyberthreats.
IoT and devices
All roads in most homes and businesses lead to the routers – those wireless appliances that enable all IoT devices to connect wirelessly to the internet. It is for this reason that routers are wonderful, yet unfortunately, it is precisely their wireless connectivity capabilities that make them such good key attack targets. A router that has been hacked can compromise the security of devices such as remotely accessible cameras, for example a security or baby monitor, or light, heat and sound systems powered by IoT.
In newer IoT devices, we’re seeing software stacks similar to web application stacks being embedded into the devices, which provide limited measures of defense. Compounding this, it’s common for companies to hire web app developers they’ve never met from all over the world. And even low-level engineers can code these devices. In these cases, it’s almost a guarantee that security is not embedded effectively, if at all.
The level of risk involved with a device will vary depending on the context of how it is being used. Security layers such as authentication, user access, application access, device lifecycle management, and data encryption should all be considered to protect connected devices.
From a connectivity point of view, wireless connectivity and fixed line connections each have their own set of security protocols. Device data should always be encrypted and described in secure private networks rather than sent openly via the internet. Additionally, network authentication allows users to verify and authorize devices on both the network and applications within the network.
Who’s responsible for building security into IoT devices?
The IoT value chain is long and complicated – each element is both essential and interdependent. Every link in the sequence represents a possible vulnerability and, just like every other industry, no one provider can cover all of the IoT security vulnerabilities. This fragmentation makes it very hard to put security responsibility on just one company– rather just as it takes a village to raise a child, IoT security is everyone’s responsibility:
For developers, this means:
- Embedding security into each phase of the DevOps process. Our Security Addendum Checklist for the Twelve-Factor App methodology offers actionable advice for building security into each of these steps
- Deploying to all the testing that takes place, and applying security principals to the entire stack
- Fostering a culture of security within the organization i.e. security is everyone’s responsibility, not just the IT security team’s
- Making provision for an update model in the product design phase
- Creating an easy, remote wait to implement security patches and updates
For businesses, this means:
- Evaluating the end-to-end identification and authentication of all entities involved in the IoT service (i.e. gateways, endpoint devices, home network, roaming networks, service platforms)
- Ensuring all user data shared between the endpoint device and back-end servers is encrypted
- Storing and using ‘personal’ and regulated data according to local privacy and data protection legislation
- Using an IoT connectivity management platform and establishing rules-based security policies for immediate action on irregular behavior
- Take a 360 degree, network-level approach to security
For consumers, this means:
- Understanding that the risk of exposure and potential attack is real – a cybersecurity attack can happen to anyone
- Get into a habit of updating all IoT devices regularly. This includes changing the router’s name and its preset password, constantly reviewing security options, and using a firewall
- Protecting all devices that connect to the internet, such as computers, smartphones, and gaming systems
- When online, being wary of suspicious emails and/or links
- Backing up important files by making electronic copies and storing them safely
In the spirit of NCSAM, when it comes to online safety, the onus is on all of us to STOP. THINK. CONNECT ™.