As businesses leverage the cloud and the Internet of Things (IoT) to save costs and improve business operations, they must also be aware of the significant vulnerabilities that can develop if the organisation allows unfettered and unsecured access.
The IoT lets businesses leverage sensors and machine learning to automate functions and make better decisions. It can also help employees be more engaged or healthy, such as by wearing fitness trackers. The cloud, especially public cloud, helps companies address the need for compute and storage resources, and provides agility, scalability and global reach.
While these technologies provide opportunities for businesses to increase efficiencies and sharpen their competitive edge, there are also significant vulnerabilities that must be addressed before organisations can safely embrace them. And, as the number of connected devices continues to explode alongside the use of cloud, this issue will only become more urgent.
When it comes to the IoT, all connected devices, from fitness trackers to printers, introduce a potential risk into the corporate network the moment they’re connected. For example, an organisation can deploy closed circuit television cameras (CCTV) to their premises which, if left unprotected, can provide entry points for cybercriminals to exploit.
Once they gain access to the corporate network through these devices, they can move around at will and access mission-critical systems and processes. The devices could also be commandeered for nefarious activity, targeting other organisations or even their own.
Even though consumers and businesses place enormous trust in device manufacturers to maintain security, the fact is that IoT devices are the weakest points in the network. It’s therefore essential for business leaders to know exactly what devices are connected to the network, as well as understanding how many end-point devices the organisation relies on.
Committed cybercriminals are sophisticated and creative. While they specialise in finding ways to breach organisations’ security, the organisations split their time between security activities and other essential IT tasks. This puts the organisation at a disadvantage.
One way to overcome this is to create a culture of security from the top down. This means implementing policies around IoT devices at work and including rules for what devices can or can’t be connected to the corporate network.
There are two crucial steps that businesses can take to protect themselves from IoT-related risks:
-
Update settings
This includes changing devices from factory settings and setting new, strong passwords. Most IoT devices are implemented using factory settings and passwords that are easy to crack.
To date, IoT manufacturers haven’t been forced to deliver secure devices, although this may change as businesses start to understand the threat and demand better security. This should also include incorporating security assurance and scanning for vulnerabilities for these types of devices.
-
Strengthen building security
Building managers must prevent cyberattackers from gaining control over building security systems like door locks, elevator access, air conditioning and CCTV cameras.
Access to any of these systems can let cybercriminals gain physical access to the building or simply sabotage the organisations such as by locking all the doors and preventing access to the building while turning up the heat until processors overheat and malfunction.
When it comes to security in the cloud, it’s important to understand that public cloud works on a shared responsibility model. The provider secures the infrastructure but it’s the organisation’s responsibility to secure everything that is shared in the cloud, including patching and conducting audits.
Configuring cloud security correctly takes time and businesses must be patient and methodical. It can be tempting to move fast, since the cloud enables so much flexibility and agility. But it’s worth taking a little bit more time to get security right.
It’s not advisable to circumvent security configuration processes just to get workloads up and running faster. Cloud providers maintain a shared responsibility model with respect to securing the cloud – they safeguard their infrastructure and the organisation must protect the data/apps they put into the cloud.
Leveraging the built-in security settings is a start, but it is limited to controlling what systems can communicate with one another. Businesses should start with a virtualised implementation of a next-generation firewall and advanced threat protection.
It’s also important to understand not just the traffic between the perimeter and the data centre, but also the internal traffic that can reveal whether an attacker has gained access to the network. This makes it easier to prevent attackers from moving laterally around the network, limiting the amount of damage they can do.
Businesses shouldn’t be afraid to leverage the IoT and cloud for their amazing advantages. However, business leaders must create a culture of security and demand that users take the time to properly secure their data and workloads to avoid falling victim to a cyberattack.
