The Internet of Things has brought unprecedented computing power at our fingertips. Today’s modern offices boast online connectivity for everything from temperature controls to coffee machines.
Yet this mega-network of data highways also exposes us to new security challenges, which many businesses are struggling to address. Unsecured IoT devices account for some 26 percent of data breaches, a rapid increase from 15 percent in 2016. And that’s only the data from reported incidents.
Security experts say that many companies aren’t even aware they’ve been compromised. “There are only two types of companies—those that know they’ve been compromised, and those that don’t know,” cautions McAfee’s former VP of threat research, Dmitri Alperovitch.
Below we’ll explore how your IoT devices are exposing you to cybercriminals, and how you can bolster your defenses against attacks.
Vulnerabilities in your company
Common work devices like laptops and smartphones are often at the centre of security programmes in the office. However, many companies make the mistake of skipping over seemingly simple IoT devices and the security of third-party providers, like your HVAC maintenance partner. Hackers stole millions of credit card details from American retail-giant Target by going through their heating and cooling systems. Security and digital cameras can be used as access points to break into your network.
Uncoordinated security strategies
Most companies took a silo approach to cybersecurity, directing the heaviest efforts toward high-risk departments that hold sensitive data, like finance, while leaving departments seen as low-risk to develop their own security measures. But the IoT spreads the risk throughout the whole company, which is why the old, decentralised approach is placing many at risk. Any software, whether used by marketing or legal, is now a potential entry point for criminals. Hardware that used to run quietly in the background like motion sensors or temperature gauges are now holes in your defenses.
Most devastating cyberattacks don’t need to make use of sophisticated software to break into your network–most of them are carried out using social engineering. Wiley criminals use legitimate-looking emails to steal sensitive company data from unwitting employees. Attackers have also started using new methods as users become more discerning of emails, such as calls, or malicious apps downloaded through less secure devices like personal smartphones.
Poor response strategies
The great majority of organisations in the UK are poorly equipped to handle real cyber attacks. Companies take an average of 3 weeks to identify a breach. While most say they have a response strategy in place, nearly half aren’t tested on a regular basis–a concern when more devices are going online, and cybercriminals never stop developing ways to exploit the network.
Basic steps for defending against attacks
Backup your data
Losing your data can completely freeze your operations, costing millions in damages and customers lost. Backups are crucial. “By backing up your data you’re enabling your business to continue operating to as close as normal as possible, reducing the amount of downtime your business will need,” says Dave Blackhurst of Bristol based IT support company, EvolvIT.
There are a couple of methods available to SMBs on limited budgets. One is using cloud-based services. The advantage of cloud-based backups is that they allow businesses to scale capacity quickly. However, since data is on the cloud, restoring functionality depends entirely on a strong network connection, which may be affected in the event of a data hack.
Another option would be to place your data on an encrypted USB. While capacity may be more limited, USB backups can get your critical business operations up and running faster than Internet-based solutions. Plus, business owners get more control over who or where their backup data is located.
Educate your employees
Cybersecurity used to be managed by department. With IoT devices, security is no longer only a responsibility for network officers, rather an initiative that requires the compliance of all your staff. Your security is only as strong as the knowledge of your lowest ranking employee.
The IoT forces business to take a wider, all-encompassing approach to cybersecurity, and that includes training all of your personnel. Many successful phishing attacks started with simple emails that should have set alarm bells ringing for security-savvy employees. Train everyone in the company to communicate in a way that can’t be replicated by a hacker. For instance, sending out internal “heads up” messages for important emails, or trying to be as unique and detailed in their communications.
Businesses with bigger workforces and resources can also run real-life simulations. These events train you to respond faster to actual attacks, mitigating damage. Plus, simulations can help you hone your documentation process and comply with the GDPR’s strict 72-hour reporting policy.
Consider working with an IT partner
Large companies can spend millions on cybersecurity. Yet boot-strapped SMBs don’t have access to the same kind of programmes. Even at the basic level, keeping your data protected means regularly patching software and monitoring your network for suspicious activity–tasks many smaller business owners don’t have the time or skill to do.
But the threat of data theft and fraud is too large to ignore, especially for SMBs. Over half go out of business 6 months following an attack. If you can’t hire your own cybersecurity officer, outsource to a trusted third-party. You’ll get a knowledgeable team who is trained against the latest modus of cybercriminals.
Plus, outsourcing is a good way to keep your costs constant. “Outsourcing your IT on a monthly retainer basis gives you the confidence that any IT issues are covered at a fixed fee,” says Blackhurst. A fixed fee helps make cybersecurity sustainable for small to midsize businesses, critical amidst the rising cost of keeping your network protected in the fast expanding universe of IoT devices.