Are IoT devices the weakest link in cybersecurity?
IoT devices in the workplace increase cyber risks, making it easier for threat actors to access secured systems.
Internet of Things (IoT) devices have inundated our everyday lives, with an estimated 14 billion IoT devices connected worldwide, according to Transforma Insights. From smart thermostats and refrigerators to connected cars, it’s hard to get through a day without interacting with an IoT device, especially considering most people carry one in their pocket or purse. However, in the era of connected living, these devices can pose a serious cybersecurity risk for insurers and their commercial policyholders.
“To think that their client’s data could be exposed by the refrigerator that the employee break room has would have been unthinkable 20 years ago, but that’s an extremely real threat right now,” said Sam Shay, creative director of Socotra. ”[It] doesn’t matter how ‘smart’ or ‘dumb’ the appliance is — anything that is connected to your network through Wi-Fi is going to pose a serious threat.”
Hackers have commandeered IoT devices in the past to wreak havoc on personal lives and entire countries. In 2017, cybercriminals manipulated the firmware of over 465,000 implanted pacemakers, making it possible to drain the pacemakers’ batteries, steal sensitive data and change lifesaving settings. A year later, the Mirai Botnet dismantled internet access in various countries.
IoT device risks
Many IoT devices are untracked, poorly managed or unmonitored, writes Security Scorecard. Combined with weak passcodes, Botnets and the rise of AI-based attacks, P&C insurers and their commercial policyholders become more vulnerable whenever an IoT device comes onto the property. CompTIA investigated cyber risks for IoT devices and found these were the top four.
- Data theft: Gaining improper access to personal information, including names, social security numbers, health ID numbers, phone numbers, user accounts and home addresses.
- Service disruption: Using an IoT device (or multiple) to render crucial infrastructure unusable, such as a database, water system or power-generating dam.
- Service or data manipulation: Adjusting IoT device settings to make the service unavailable, cause physical harm to the user or damage the device or other devices.
- Non-compliance: Making changes in the IoT device that violates government privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).
The “default password threat”
Some simple changes and protocols can mitigate the cyber risks of IoT devices, such as changing default passwords. Many IoT devices are installed with default passwords that are never changed. The organization Global Information Assurance Certifications (GIAC) dove into the “default password threat,” noting hackers don’t often need complex methods to access secured systems because default passwords still used in built-in accounts offer easier access.
Default passwords are user and password pairings used in a software, database, operating system or IoT device, such as a security camera or smart plug. These passwords are available to the public online, in vendor handbooks and other open sources. The SANS Institute recognizes default passwords as one of the top ten cybersecurity threats. Luckily, a new, stronger password can lower the cyber risk.
Reducing IoT cyber risks
In addition to updating default passwords, CompTIA recommends connecting IoT devices to secure networks with strong, unique passwords, adding firewalls to the company network and limiting the permissions allowed for the device. For example, a smart bulb or refrigerator likely doesn’t need access to your contacts.
Insurers and commercial businesses can enhance their IoT cybersecurity with these measures, says CompTIA:
- Increase device monitoring with security information and event management (SIEM) and intrusion detection systems (IDS).
- Enhance security features to encrypt stored and transmitted data.
- Add more authentication to control IoT device connections to the network.
- Adhere to IoT and ICS standards from the National Institute of Standards and Technology (NIST).
Related: