Is Your Organization Protected Against These IoT Exploit Risks?
In a changing digital environment, is your business keeping up with risk management?
The modern workforce is more connected and dynamic than ever before. Digital communication continues to dominate the way businesses get work done. This digital transformation has helped professionals of all kinds make huge strides to get work done faster and from anywhere. Additionally, the Internet of Things (IOT) has made office management and operational efficiency easier than ever.
However, this transformation has come increased risk. In order to provide anywhere, anytime access to business data, organizations are using more devices and in turn, have created more access points to their company networks. Though employees may be able to work from anywhere and through office operations are streamlined, the risks to IT security have undoubtedly increased.
Increased access and IoT streamlining are amazing technological developments that organizations should definitely be taking advantage of. However, with increased access points comes increased risk of cyber attacks of all kinds. In this new age of increasing connection, organizations would be smart to get informed about IoT risks and develop proactive strategies for patching holes and addressing vulnerabilities.
Defining IoT: What is The Internet of Things?
First things first, some may be wondering: what in the world is the “Internet of Things” (IoT). Though it may sound like part of a futuristic sci-fi movie, it actually involves the process of connecting and integrating everyday objects such as tech devices on internet networks. IoT involves the various range of devices that can now be connected to a business network and integrated with other connected devices.
Computers, smartphones, tablets– these are the obvious ones that most businesses use and rely on daily. However, IoT involves a much more expansive range of devices from all corners of an organizations operations. That SmartTV or SmartBoard in your conference room? The new, digital thermostats that allow you to remotely control the office temperature? Your security cameras or digital lock system? All of these modern devices represent access points that leave you vulnerable to cyber invasion.
Securing an IoT Network: Considerations and Challenges
So, with such an expansive network of potential access, security in the IoT age must be a top priority for businesses and organizations of all kinds. Gone are the days of simple firewalls and password protocols. While these things are still critically important, IT security strategies must be much more sophisticated if they’re to stand a chance against increased cyber risk.
Without a strategic and proactive approach to IoT security, your organization can and will be left open to threats you never would have considered. For instance, consider the case of the high-profile casino whose network was hacked via a fish tank thermostat! Yes, that sort of thing is now possible and hackers are taking every opportunity to break through the weakest security areas and wreak havoc in your network.
However, there’s no denying that trying to lock down and manage a growing number of network access points is no easy task. This is especially difficult when more and more businesses are greenlighting bring-your-own-device (BYOD) models. Each of these is another access point where cybercriminals can now infiltrate your computer network.
The only way to get a handle on more proactive and all-encompassing network security is to take inventory of all the access points you need to protect. This will include the basics, like company-owned computers and phones, but should also include the wider range of devices used in your office including thermostats, security systems, employee and visitor devices, etc.
The IoT Exploits You Haven’t Considered: Securing Your Digital Headquarters from All Angles
For context, let’s break down some of the key weak spots that are often missed as business professionals attempt to secure their networks. Take a minute to think. Can you think of all the potential devices or access points that exist in relation to your company network? Our guess is that even if you can, you may be missing some. Further, even if you can think of them all, can you say for sure that each access point is completely monitored and secured?
Check out these leading IoT exploits that could be keeping your organization vulnerable:
Tablets have revolutionized the computer in the business space. They’re portable, convenient, and can be used for a variety of purposes. Many employees bring them to meetings for taking notes. More and more, organizations are relying on tablets to help them get work done faster and more efficiently.
Tablets can be found in conference rooms, emergency rooms, and in the briefcases of remote workers. Often, tablets function as a mission control port from which audio-visual systems can be controlled or team meetings can be logged and recorded. However, though tablets have become second nature, their connection to your network make them ports for potential cyber invasion.
If your organization uses tablets, you must treat them like any other computer in the office. Their use should be subject to access control and their connection to the larger network should be secured. This means tablets should be subject to monitoring in the same way that computers and smartphones are. If a device is connected to your network, it must be considered a potential open-door for cybercriminals.
Speaking of conference rooms, SmartTVs and SmartBoards are quickly replacing the AV equipment of the past. Sleek presentations can be displayed on these devices in hopes of making business meetings more interactive, integrated, and engaging. This has been a great boardroom improvement; however, the increased risk must not be ignored.
SmartTVs are connected to your company network and often have a connection to the public internet for easy searching and browsing. Even worse? SmartTVs are notorious for having less-than-ideal security protocols. This can leave a gaping hole in an organization’s network security. In fact, there have been cases of SmartTV malware hacks where the infected TV attempts to infect any connected device in its range. This can have catastrophic effects for your network.
So, be sure to include all your organization’s ‘smart’ devices in your security inventory. If you rely on a SmartTV for regular meetings or use a SmartBoard to upload company data to the network, these devices must be secured. The last thing you want is a cybercriminal listening in on company meetings or holding your network hostage thanks to an unsecured SmartTV.
Organizations of all shapes and sizes rely on security monitoring to keep a constant eye on company property and office space. In the spirit of the digital transformation, most security cameras are now IP-based and are connected to company internet networks. They’re cost-effective and offer Cloud-storage and web-streaming features.
Security cameras are supposed to help keep your organization safe, right? That’s obvious. However, these digital security cameras present a unique problem. Because the security feeds can be accessed via the web, they’re easy prey for malicious hackers. Countless stories have hit recent headlines about hacks on company webcams or security cameras that allowed remote spying.
Even worse, some hackers are attempting to infect the camera itself in hopes of getting inside the network to cause trouble. Just like with the SmartTV, security cameras can be hacked and infected with malware. The infection can spread to other connected and in-range devices. This could be devastating for your organization.
If your company relies on a digital security monitoring system, be sure to give it the top-notch security it deserves. The ease and peace of mind offered by anytime access to your security feed are tempting. However, if you’re going to take this approach, you must make sure these endpoints are secured and reserved for your eyes only.
It must be noted that the corporate business world isn’t the only place where IoT devices are dominating. The healthcare sector is evolving, adopting more and more digitized healthcare devices than ever before.
X-ray and MRI machinery are continually becoming digitally connected. Electronic Medical Record (EMR) software is changing the way patient data is stored and shared. Heart-rate monitors and fitness trackers are personal health devices that can connect to networks wherever they go. In fact, most healthcare environments have a 10-1 ratio of IoT devices to computers – meaning that IoT attacks are much more likely in the healthcare setting.
Even worse? Many of these healthcare IoT devices run on old or outdated versions of Windows, making them more vulnerable to new and worsening cyber threats. With outdated operating systems, patches and loophole fixes are harder to implement. This means that critical healthcare devices like MRI machines can be subject to widespread attacks like the 2017 WannaCry hack.
For healthcare professionals, ensuring that devices are secure can be a huge challenge. Especially when considering the heavy weight of patient confidentiality and regulatory standards. Healthcare professionals and their IT teams must be consistent and diligent in their efforts to control access and secure IoT devices.
Unauthorized Network Bridge
Take a second to think about the day-to-day operations in your office. You likely use a printer semi-regularly and its likely set up wirelessly over Wi-Fi or Bluetooth. This is a no-brainer for most modern businesses as it makes it more convenient for anyone on the team to access printing services anytime, without requiring a physical connection to the network.
However, as is the trend with IoT, often it’s the things that make life easier that also open your organization to increased risk. Printers are especially dangerous because many larger entities have a huge number of printers wirelessly connected to the broader network. This leaves a massive security hole and offers the potential for any in-range device to use the printer as an unauthorized network bridge.
So, while your company printers may seem like the last thing you need to worry about in terms of network security, think again. To patch these security holes, make sure that each printer in your office is a monitored and secured device among all other network devices.
Protection of Gas Distribution Facilities
Okay. We’ve covered business and healthcare, but what about the increasing digital transformation in the manufacturing and utility industries? Industrial IoT is continuing to drive efficiency in these sectors. Using connected devices like sensors, valves, and other control mechanisms make remote control easier and optimize production.
However, these devices are very enticing to hackers and cybercriminals. And, given the nature of the work these industries do, the potential impacts from hacks on connected devices can be devastating and even fatal. Manufacturing and utilities do not make IoT security a priority and these devices were not designed with security in mind. As such, the manufacturing devices are difficult to patch and update, meaning even greater risk for the organizations using them daily.
In order for manufacturing professionals to prevent deadly hacks or mischief, these IoT devices must be secured at all endpoints. A good rule of thumb for manufacturers is to give every device a second glance. In fast-moving industries that have been subject to wide-spread digitization, analyzing all the technology in use and making sure everything is adequately secured is critical to larger network security.
Rogue Network Stealing Credentials
Finally, the modern office is subject to one wide-reaching risk. Most organizations these days – especially those with public spaces – are equipped with multiple wireless access points for user connection. Additionally, many modern devices are designed to connect automatically to the closest and best available network. Further, when faced with choosing a network, wireless users will usually opt for the strongest looking connection.
Sophisticated cybercriminals have learned to exploit this wireless activity by creating phony wireless access points in hopes of duping users into connecting. This offers hackers the opportunity to invade connected devices and get their hands on confidential data and user credentials.
If your organization offers access to a wireless network, be wary of this potential spoofing tactic. Do whatever you can to secure your wireless network and create a guest connection for visiting users who don’t need access to your larger network. Be open and honest with your team about wireless connection protocols and train them to be vigilant when connecting to wireless networks on business devices.
Navigating the New Cyber Landscape: Security for Today’s Digital Environments
There’s no denying this is a lot of information to take in and it represents some critical security concerns for you to consider. We get it! All this information can be seriously overwhelming, especially with new devices and tech developments happening at lightning speed. However, as challenging as it may seem, it doesn’t have to be impossible or daunting.
As mentioned, the key is keeping a detailed inventory of what devices are connected to your network and maintaining a record of all access points. Additionally, your organization should have key policies and procedures in place regarding network security and access control management.
Clearly posted expectations for employees is imperative, as is ongoing training for them. Employees must be reminded often of the importance of maintaining the security of your organization. Stay on top of employee training. Make sure your team understands the significance of securing the company network at all endpoints. It’s especially important to provide training for your staff in higher positions, such as managers, supervisors … even those in the boardroom.
Make it a priority to develop a plan for staying on top of the continually evolving digital business climate. Being proactive and consistent will help ensure that your organization stays alert and up-to-date when it comes to risk management.
Finally, when in doubt, reach out to a managed IT services partner for consultation and guidance about navigating the IoT landscape and managing risks with efficiency and focus. IT security concerns can seem much less daunting with the experience and expertise of an industry professional in your corner.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.