Smart devices and other connected internet of things (IoT) technologies can be found in homes and workplaces globally. But just how secure are the technologies that we entrust our work environments & sensitive data to? 11 experts weigh in as we take an in-depth look at internet of things security for businesses
The more technologically “connected” our personal lives and businesses become, the more IoT security matters. Data from Fortune Business Insights shows that the IoT market is projected to top 1.4 trillion devices by 2027 with nearly a 25% compound annual growth rate (CAGR)!
Now, we’re not going to inundate you with all of the IoT security statistics we’ve seen — you can read more of those on your own in our IoT statistics article. But the point here is that IoT devices are here to stay, and it’s up to companies to decide how they’ll be used — whether they’re useful and secure assets or vulnerable targets for attackers.
The so-called internet of things (IoT) includes many devices found in homes and businesses across all industries. It includes network-connected devices as well as those that use other connectivity protocols (such as RFID and Bluetooth). But what does this growing reliance on connected technologies mean for businesses in terms of IoT security? We’ve asked 11 security executives, developers, and other IT experts to help us answer that and other IoT and security-related questions.
In this article, we’ll answer the question “what is IoT security?” and explore what internet of things security entails, why it’s historically been an issue to achieve, and what companies and governments are doing to address IoT security issues.
Let’s hash it out.
What Is IoT Security? What It Means to Secure These Emerging Technologies
Internet of things security is a sector of information technology that focuses on securing endpoint devices, networks, and data relating to the internet of things (i.e., connected devices that aren’t computers, smartphones or tablets). Basically, IoT security is a broad term encompassing the security strategies, policies, processes, and technologies that companies use to protect their IoT devices (everything from smart refrigerators and security cameras to monitors on jet engines or automobiles) and their associated data, applications and networks from being hacked or otherwise compromised.
But why is IoT security necessary? After all, “smart” technologies have smart in the name, so that means they should also be secure, right? We wish. Unfortunately, that assumption about IoT security is often far from the truth as many IoT devices aren’t as secure as you might think.
According to Mike Nelson, Vice President of IoT Security at DigiCert, says it well:
“At its core, the IoT is about connecting things to create new, actionable data. Anytime connectivity is introduced into a system, cyber risks go up. If left unsecured, this connectivity can open backdoors into the organization’s network. In addition, with growing connectivity, the new data being generated and transmitted creates additional risks. Whenever this data contains sensitive business or personal information it must be handled in a confidential way.”
The more devices you add to your network (i.e., the more connections and entry points you create), the less secure your network becomes. If even just one of those devices has an unpatched vulnerability that an attacker exploits, then your data is at risk of exfiltration and compromise. And with so many devices in the market — and more being added daily — IoT represents a rapidly growing attack surface that bad guys can use to target your organization.
Why IoT Security Matters
When users and companies buy IoT devices, there’s an understandable expectation that those devices are secure. However, regardless of what any salesperson tells you, no technology or software is 100% secure.
IoT devices are designed and programmed by people, and people make mistakes and miss things. In some cases, a seemingly insignificant mistake can become a major exploit down the road. Of course, the significance and impact vary and may increase based on the target organization’s industry and the attacker’s goals. To put this another way, although a vulnerability in a smart refrigerator can result in data theft, a vulnerability in a smart medical device can result in significant harm or death to an individual.
According to Niko Sagiadinos, a developer and owner of the digital signage company SmilControl:
“IoT devices can be used as gateway to the company’s or country’s digital infrastructure. Trojan horses for espionage, malware for sabotage and ransomware for blackmail fraud.”
Furthermore, IoT devices currently lack universal certifications and standards. They’re not like root of trust devices such as trusted platform modules (TPMs), which have vendor-neutral standards that developers and manufacturers must meet. And without those go-to trusted standards for device manufacturers and end-users to abide by, IoT is still a bit of a Wild West.
Your IoT Devices and Network Are Only As Secure as Your Smallest Vulnerability…
If you’ve read any of the major headlines in recent years, it should be apparent how and why IoT security is critical. Let’s consider the WannaCry ransomware attacks of 2017. To quickly summarize, that global security event involved attackers leveraging a security vulnerability in legacy Microsoft Windows operating systems. Prior to the attack, Microsoft released a patch to fix the issue — but many companies failed to apply the patch to their systems, leaving their systems vulnerable.
The same concept applies to IoT security. These devices also have known and unknown vulnerabilities that attackers can exploit in the future (if they haven’t already done so). In fact, the Dyn attack, which Forbes says was responsible for knocking out thousands of prominent websites, relied on a botnet of hacked and compromised IoT devices.
Eclipse Foundation says that nearly half of their respondents (47%) currently deploy IoT solutions connected to their networks, and another 39% plan to follow suit within the next 12-24 months. And considering that every new IoT device represents a new entry point to your network, this means that the more endpoint devices you have, the more exposed your network becomes.
Harriet Chan, co-founder of the software development company CocoFinder, emphasizes the importance of protecting every device on your network. Companies must make the effort to secure every endpoint device regardless of how innocuous they may seem:
“If hacked, even a printer could provide company information to unauthorized personnel. Botnets are mainly used for DDoS Attacks and pose a significant risk if a cybercriminal gains access to connected devices.”
How and Why Businesses Globally Use IoT Within Their Environments
Wondering why companies are increasingly relying on these technologies if they pose such big cyber security risks? It’s a fair question, and there’s no single answer. However, many companies either already use or plan to use connected technologies because of their benefits. IoT devices have been known to help organizations in many ways, including:
- Streamlining processes that increase productivity and agility,
- Improving operational efficiencies, and
- Reducing overall operational costs.
Connected devices have many potential applications within organizational environments — their specific usages often depend on the company’s industry. For example, you’ll often find IoT devices in use as:
- Wireless printers, smart thermostats, and even break room refrigerators in corporate environments.
- Robots and inventory tracking and management systems in manufacturing and industrial settings.
- Medical devices (such as pacemakers) and monitoring equipment in hospitals and other healthcare facilities.
- Geolocation trackers, sensors, and cameras in transportation-related industries (trucking, shipping, traffic management, etc.).
- Monitoring devices and smart grids for critical infrastructures such as utilities.
Why Enterprise IoT Is a Vulnerable (and Growing) Attack Surface
Internet of Things technologies are becoming increasingly common within business environments. Research from the Eclipse Foundation’s 2021 IoT and Edge Commercial Adoption Survey shows that 47% of the 300 IoT and edge professionals who participated currently use IoT within their organizations. Another 39% indicate that they plan to do so within the next 24 months.
Unfortunately, as is common in other areas of cybersecurity, IoT security often gets neglected by the companies who create the devices and the organizations that use them. But for IoT cyber security to be effective, it needs to be a collaborative approach with all parties taking steps to make devices and their uses more secure:
- Developers and manufacturers need to design and build secure devices and platforms, and
- End user enterprises (i.e., companies that are deploying, managing and using the devices within their environments) need to take steps to keep the IoT systems secure.
Where OEMs Fall Short Regarding IoT Security
Developers and manufacturers often wear blinders, focusing their attention and efforts primarily on convenience and UX. And we get it — customers don’t want to buy products that make their jobs harder and are frustrating to use. But with such a narrow DevOps focus, OEMs often wind up sacrificing security in their pursuit of creating the perfect experience.
This is why companies should be adopting a SecDevOps or DevSecOps approach for internet of things security. Basically, the idea here is that cyber security should be a key component of those initial planning, development, and testing processes rather than an afterthought.
Why End User Companies’ Efforts Are Often Lacking
There are many reasons why companies don’t have strong IoT security defenses. In some cases, it can be a lack of labor, cyber security budgets, and other resources. Other times, it results from a lack of visibility — you know, the old “out-of-sight, out-of-mind” issue.
Too often, poor IoT security boils down to:
- A lack of understanding common IoT security risks,
- Reliance on bad or ineffective security practices (such as performing irregular updates and patch management) to mitigate those risks, or
- A combination of these two issues.
Of course, simply understanding the reasons or explanations as to why companies aren’t doing what they’re supposed to doesn’t negate or mitigate their damaging effects. Poor IoT security results in everything from non-compliance penalties and lawsuits and lost business and reputational damage.
If companies aren’t investing the time and resources to secure those assets, it creates a substantial attack surface for bad guys to target. This creates the IT and data security equivalent of a buffet for bad guys — but instead of tasty foods, attackers have a selection of vulnerable devices that provide access to your network and other systems that connect to it, as well as all the sensitive data they contain.
IoT Security Regulations and Laws Historically Have Been Virtually Non-Existent
The Internet of Things industry is still relatively new as far as cyber security standards, policies, and regulatory requirements are concerned. But IoT security is an issue that has historically been treated like the proverbial redheaded stepchild — IT teams and regulators alike have ignored the issues for as long as possible.
This is another factor that has likely had a huge impact on the rise in IoT security threats. It’s also likely why several organizations took the initiative and stepped up to create their own IoT security guidelines:
- IoT Security Foundation has many valuable resources and guides on their website, including their “IoT Security Compliance Framework” and “Secure Design Best Practice Guides.”
- NIST has an IoT for Cyber Security Program that aims to improve the cybersecurity of connected devices and the environments that they’re deployed in. They also published their Cybersecurity Framework to help organizations protect their data and physical IT infrastructures against — as well as respond to and recover from — DDoS attacks. (Note: the framework was created with critical infrastructure entities in mind [i.e., healthcare, energy and financial institutions] but also applies to organizations across virtually all sectors.)
The U.S. Introduced the First IoT Security Law in 2020
Thankfully, this “I’m just going to ignore it” mindset demonstrated by governments is slowly starting to change. One of the biggest examples of this evolution can be seen with the passage of the U.S.’s federal IoT security law and the creation of IoT security-related policies and guidelines for federal agencies.
The Internet of Things Cybersecurity Improvement Act of 2020 (H.R. 1668) was officially signed into law on Dec. 4, 2020. This legislation requires the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) to create security policies, standards and guidelines that all U.S. federal agencies (including government departments, contractors and subcontractors) that use IoT devices must adhere to.
Although this law technically only applies to those specified agencies, the guidelines and policies NIST and OMB set forth — such as NIST’s IR 8259 — can also serve as resources for private sector organizations and businesses as well. However, there’s no denying that there’s still a long way to go in terms of improving IoT cybersecurity as a whole — particularly with relation to the private sector.
But Jesse Thé, President & CEO of the B2B SaaS video conferencing solution Tauria, says there’s no time like the present to start working on your organization’s IoT security policies.
“Even though a more all-encompassing IoT security policy is awaited, service providers and manufacturers of IoT devices must not wait to start adopting security policies. Rather companies must be enthusiastic about setting standards of market security and IoT compliance. This will help them build brand reputation, ensure consumer safety as well as align product development with emerging standards and get a head start as security standards are implemented.”
Examples of IoT Security Risks
The long-standing lack of industry standards and poor IoT security practices makes your network easy prey for cybercriminals. This is great for them but gut-wrenching news for you and your customers.
Speaking of easy prey — Chris Parker, host of the Easy Prey cybersecurity podcast and owner of WhatIsMyIPAddress.com, says that IoT security risks relating to widespread device adoption across your network typically are tied to the following:
- Bad guys can get access to your data and deliver malicious payloads by exploiting device vulnerabilities, and
- IoT devices can fail, leaving you with “bricked” (useless) devices without any fallbacks or fail-safes in place.
Adam Kohnke, Information Security Manager at Infosec Institute, shares the following concern:
“The network interface provided by IoT devices may provide external internet connectivity to would-be attackers. IoT device manufacturers also typically leave default access credentials in place for the devices they ship. These two conditions together leave enterprises vulnerable and prone to unauthorized remote access attacks.”
Once a bad guy compromises a connected device, they can use that access to:
- Move laterally across your network. This gives them the ability to discover other vulnerable connected devices, servers, and IT systems that they can gain access to.
- Exfiltrate data. They can use their access to steal your sensitive data (such as intellectual property or your customers’ personal information) from your systems. They can then use, sell, or post this information online to cause additional harm.
- Install ransomware and other types of malware. They can use their access to install malicious software that enables them to:
- Lock your device so you no longer have access to it.
- Encrypt your data and demand ransom payments.
- Control your IoT device, making it a drone the attacker controls as part of a larger botnet.
- Use that botnet of compromised devices to attack you and other companies via DDoS, brute force, and credential stuffing attacks.
One of the Biggest Issues in IoT Security? Complacency
The impact of such attacks and IoT security compromises are devastating. But how is it that these attacks occur? Ryan Nichols, Chief Information Security Officer (CISO) at the payment processing and SaaS company Curbstone, says that IoT security often gets overlooked for the sake of convenience.
“When it comes to the Internet of Things, out-of-the-box security is often overlooked for convenience. If left unmanaged, IoT devices can present a significant vulnerability to businesses and their data. These devices can be manipulated in a variety of ways, and the vulnerability and risk really [depend] on the device and the deployment.”
We’ll take a more in-depth look at IoT security issues, risks and challenges in another IoT-related article. Be sure to check back with Hashed Out over the next few weeks to see when content becomes available.
In the meantime, let’s explore ways you can effectively manage your network’s IoT security.
Managing IoT Security: Determine What Your Needs Are & How Best to Meet Them
Parker says the effectiveness of IoT security management is finding ways to meet your organization’s safety and performance needs within the confines of your financial limitations. Ask yourself important questions: Do you have the in-house skills, knowledge, and tools to meet these network and IoT security needs on your own? Or would it be more beneficial to explore the option of outsourcing network management to an MSP?
For people who want to handle this responsibility on their own, Nelson says that using an IoT management platform can help:
“IoT management platforms are a great way to maintain control of a growing IoT environment. Management platforms should have the ability to manage and push out device updates, identity vulnerabilities, have device level visibility, generate reports on devices, and help with the overall lifecycle management of a device.”
Centralized vs Decentralized IoT Security: Which Approach Is “Better” and Why?
When choosing how you want to manage internet of things security and access across your network, one of the biggest decisions you’ll need to make is whether to use a centralized or decentralized approach.
There are some advantages to using a centralized approach to IoT security management — one being that it’s safer overall. Another advantage is that using a centralized management tool is that you have greater visibility of all your networks’ devices so your devices don’t fall between the cracks and become forgotten. However, there are also some advantages of using a decentralized system as well — improving performance by distributing processes and eliminating single points of failure that you may find in some centralized systems.
Alex Feiszli, CEO of the next-gen cloud solutions startup GRAVITL, approaches the topic from a different perspective. He says that using both approaches is ideal for IoT security management:
“The array of IoT devices has become so large and complex that a centralized approach is extremely difficult to implement effectively. Still, centralized tools are necessary to help to pinpoint threats in real time. Decentralized approaches like zero-trust networking make sure all devices start with the minimal possible permissions. If you have to choose just one, go with decentralized. But don’t do that, do both.”
Regardless of which approach you implement, DigiCert’s Nelson says to make sure it’s the right one for your business:
“The answer to whether a centralized or decentralized approach is best comes down to the business needs and requirements. Both approaches can work and be effectively deployed – organizations need to make the decision that is best for them.”
But in addition to using an IoT management platform, what else can businesses do to secure their IoT devices and their connected network environments?
10 Steps Businesses Can Take to Increase Their IoT Security
Our group of experts contributed to the following list of practical steps businesses and other organizations can take to secure their IoT devices, networks, and data:
1. Only Use IoT Products from Reliable Vendors
It seems like everyone and their brother are coming out with their own smart technology products. This saturation of devices in the market doesn’t mean that the companies are putting in the time and effort to make their devices as secure as possible.
Kohnke says that effective IoT management requires due diligence and research up front.
“IoT Device management starts with a thorough review and vendor analysis for any third party that may supply IoT devices to the enterprise, which also includes a review, to the extent possible, of the components used on the devices themselves. If a vendor review passes and devices are purchased, a security assessment should be conducted against each device to change default usernames, passwords or other default configurations to the most secure settings possible.”
Part of this entails verifying that a manufacturer integrates adequate security measures into their IoT products and provides ongoing updates and support. But if there’s something you don’t like or seems inadequate, Kohnke emphasizes the following: “Don’t be afraid to leave unsecure or shady vendors. If they cannot explain or provide easy to understand security processes to help perpetuate security, find someone who can.”
2. Implement Cyber Security Frameworks and Follow IoT Security Best Practices
We mentioned some cyber security and IoT security-related frameworks earlier that you can adopt or adapt for use within your organization. However, implementing certain security best practices is critical to securing your networks and the devices that connect to them.
Here are a few best practices that you can implement right away to make your IoT network more secure:
- Change factory-default device passwords to unique, strong passphrases. Original equipment manufacturers (OEMs) typically assign default passwords to their products. Not changing your devices’ default passwords when you add them to your network leaves them vulnerable to compromise.
- Avoid using passwords altogether. A great alternative to traditional password-base security is PKI authentication. This process involves installing a digital certificate on your device that enables you to securely login and authenticate without having to remember or type in cumbersome passwords.
- Have the right people in place (in-house or outsourced) who have the right skills. Have developers and IT security team members who van shore up your IoT security vulnerabilities and take steps to secure your networks, applications and data.
- Use endpoint and network detection and security tools. Just like having the right people in place is important, having the right security measures also matters. We’ll speak more about some of those momentarily in list item #5.
- Implement access controls to restrict or limit access to devices. We’ve written about the importance of access controls previously and will speak more about them more in section No. 6 below: “Limit Who Has Access to Your Network and Devices.”
- Encrypt all of your organization’s sensitive data. Although some IoT technologies use encryption, it’s not the case for all IoT devices. This means that any video, audio, or other data that your IoT devices collect may be vulnerable to theft or modifications by attackers. But there is good news: you can use digital certificates to secure the data that transmits across your network from your IoT devices to your applications.
3. Document and Enforce Internal IoT and Cyber Security Policies and Procedures
All organizations, small businesses and large enterprises alike, should have documented cyber security policies and procedures in place. But what good do those policies and procedural guides do if you never bother to enforce them?
Chan says that enforcing these internal IoT and cyber security regulations with infractions is necessary to get users to take the initiatives seriously. After all, if users don’t have any skin in the game or they know that they won’t face repercussions for violating your security policies, then your security rules are like having a guard dog with no teeth.
Prepare for When Things Go Wrong
Having documented policies and procedures in place includes having plans and procedures for your organization’s business continuity and disaster recovery initiatives. It also means being ready when other types of unforeseen situations occur.
In addition to this, Tom Van de Wiele, Principal Security Consultant at the cyber security vendor F-Secure, brings up another important point to consider:
“Make sure your business has the contingencies in place to operate without the IoT service. Not just when it comes to the availability of the service, or lack thereof, but also when it comes to the health of the supplier. ‘Life time support’ of the device and services doesn’t deal with your life, or the product’s life; it is the life of the company offering the technology or services”
4. Use Dedicated Networks for Access By Different Devices
One of the best ways to mitigate the risks associated with having connected devices on your main network is to not have them on there at all. Sound counterintuitive? Not really — you can isolate your IoT devices from your critical business networks and applications by simply connecting them to a separate, dedicated network. This is something that the overwhelming majority of our experts recommend.
Van de Wiele shares the following about the broad attack surfaces IoT represents for many businesses:
“When considering IoT technologies used in the workplace, the biggest risks are not adequately separating the IoT technology from business-critical networks — and, thus, adding to the general attack surface, e.g., shared networks and infrastructure. […]
Most IoT compromises that have been published have caught the attention of the media because, far too often, critical business networks end up in the blast radius of a compromised remote management service or hacked IoT technology stack.”
The FBI recommends using a Wi-Fi network for connected devices that’s separate from your other endpoints and critical IT infrastructure. This helps limit your potential exposure should one of your devices become compromised due to an unknown or unpatched vulnerability.
But what about segregating devices that connect to your network in general — what’s a good way to do that? Feiszli, suggests using a guest network for untrusted devices and a zero-trust virtual network for trusted devices for network segregation.
Of course, be sure to secure that network with a unique, strong passphrase to keep unintended users from connecting to that network.
5. Increase Your Network Visibility So You Know What Devices Are Where & How They’re Used
Another critical step, according to Chan, is taking inventory of your IoT devices and network environment as a whole. Performing regular audits keeps you informed about:
- Which people, applications, and devices connect to your networks,
- What versions of software your users have installed on their devices,
- How recently devices and their software have been updated,
- How often the devices are being used, and
- If they’re current devices or legacy systems that should be removed.
Data is a valuable resource for managing IoT security. Boris Shiklo, Chief Technology Officer at ScienceSoft, says that monitoring and analyzing command logs helps you better understand your network and connected devices are being used (and by whom).
“To manage the IoT system security, the organization should log, store and analyze the commands sent by control applications to the IoT devices, monitor the actions of users. If some commands seem strange or come in huge numbers, it may be evidence of a security breach. Continuous security monitoring will help identify such potential security breaches at an early stage.”
Here are a few ways that you can increase the security of your network and connected devices:
- Use antivirus and anti-malware tools. Using a combination of antivirus and anti-malware systems helps to protect you from traditional malware and viruses as well as more advanced threats.
- Use perimeter network firewalls. Network firewalls are great tools that enable you to keep an eye on traffic as it enters and leaves your network. Essentially, they serve as gatekeepers to prevent unauthorized users from accessing your network and inside users from using your network for nefarious purposes.
- Implement intrusion detection/intrusion protection systems (IDS/IPS). This powerful combination of tools is great for detecting and responding to unusual activity and anomalies on your network.
- Use a vendor-agnostic IoT management platform. It should be pretty obvious at this point why you need to know how many devices you have on your network and where you can find them. However, this same concept applies to staying on top of your IoT-related public key infrastructure assets as well. If even one of those keys becomes compromised, it’s “game over” in terms of your IoT data security. This type of platform helps you discover and manage the digital certificates and keys for those individual endpoint devices.
6. Limit Who Has Access to Your Network and Devices
Identity and access management are integral to IoT security management as well as your organization’s cyber defenses as a whole. Implementing strict access management practices and policies keeps you in-the-know about who is authorized to access systems and gives you a way to verify that only legitimate users are doing so. This helps to mitigate IT security risks and limits potential exposure due to credential compromise.
Here are some of the things you can do to improve your organization’s access management:
- Create user profiles based on documented authorization policies and practices.
- Maintain a current list of current authorized users. If someone leaves, have policies in place to ensure their access is disabled immediately.
- Set user permissions and access privileges following those outlined procedures.
- Log all access and event logs for those devices.
- Enable single sign-on (SSO) or use passwordless authentication (such as PKI certificate-based or multi-factor authentication methods) to make your authentication processes more secure.
7. Check Your Physical Devices Regularly for Alterations or Other Evidence of Compromise
We’re not downplaying the importance of cybersecurity protections for connected devices because they clearly matter. However, it’s also vital that you remember to focus on IoT security in terms of physical security as well.
Physical devices that exist on-premises are vulnerable to tampering and other related security threats. For example, you can compromise IoT systems by physically removing the devices or tampering with them. Unfortunately, some IoT devices aren’t built to withstand physical compromises or to notify you when they occur. This leaves them — and your data — vulnerable to anyone who has physical access to them. Such security threats include everyone from malicious employees and contractors to anyone else who comes onto your property.
8. Perform Regular Penetration Tests and Vulnerability Scans
Performing cyber security without penetration testing and vulnerability scans is like trying to stop a leak without first inspecting your pipes. You can’t effectively secure your network if you don’t know where or how it’s vulnerable.
According to Parker:
“Anyone in a position of power at an enterprise business making a major move into the IoT should invest in penetration testing. This will see a security expert probe all connected systems for weaknesses and report on where the problems lie. Remember just how complex modern computing systems are — assuming that you can fully grasp their implications without expert help is perhaps the biggest mistake you can make.”
Penetration tests involve having pentesters (i.e., ethical hackers) poke and prod your cyber security defenses repeatedly in search of weaknesses to exploit. These practices vary and can involve everything from carrying out logic-based attacks and phishing attempts to testing your organization’s physical security measures. Vulnerability scans, on the other hand, are automated scans that look for and report vulnerabilities that exist within your IT infrastructure (endpoints, networks, etc.).
If you have the in-house resources to handle this, great. But if not, you can always hire third-party experts to handle these tasks for you. The takeaway here is to use every tool at your disposal to try to figure out how every potential way that an attacker can try to compromise your systems and data before they do.
9. Apply Patches and Updates Regularly to All Systems’ Software and Firmware
No matter how many security tools and measures you have in place, you’re still at risk if any of them have unpatched vulnerabilities. This is true for cyber security as a whole as well as for IoT security specifically. Whenever manufacturers release updates, apply them to your devices and systems as soon as possible.
Michael Miller, CEO of VPN Online, says automating updates can help with this task:
“To secure your IoT devices, you need to keep its software and firmware updated all the time. With an updated firmware, you’ll have the latest security patches that will make your devices invulnerable to cyber attacks. By simply turning on ‘automatically check for updates,’ you’re already safeguarding your IoT devices.”
If you’re a manufacturer that releases updates and patches for your products, be sure to digitally sign your code. This provides added security and integrity assurance to your customers that the updates are legitimate and came from your company.
10. Educate Your Employees About IoT Security
In addition to device and patch management, there’s a key final element to consider when it comes to improving IoT security: people. Ensure that each of your employees and network users — no matter whether they’re a c-suite exec or an intern — has a strong understanding of cybersecurity best practices. This education should cover common cyber threats and attack methods, security policies, expectations, and penalties for violations.
Kohnke says that user education should also cover the use of IoT devices.
“Devices are simply purchased, installed and released for use without due diligence processes being executed. On top of device management, user education is also highly important as each business use case for every IoT device should be communicated in user awareness security training or in an acceptable use policy. People remain the largest security risk due to their autonomous nature. If they do not understand the security ramification of improper use of an IoT device, they are exposing the enterprise to unnecessary risk.”