As the hot topic of the Internet of Things (IoT) continues to be discussed, debated and utilised, there is one aspect that should never be far from the forefront of any thoughts or strategies - security.
The latest research claims that 29% of organisations have already implemented IoT solutions, and by the end of 2018 this is expected to rise to 48%, as businesses increasingly look to cash in on the long-term cost-savings and productivity enhancements associated with IoT.
As IoT continues to expand businesses, so does the surface area which hackers and online thieves have to play with. The risks are huge; so much so, it’s estimated that by 2020, 25% of cyber attacks will target purely IoT devices. With personal data and intellectual property stored on connected devices, hackers have the very real possibility of limiting an organisation’s full setup more easily than previously possible.
In addition, with the introduction of regulations such as GDPR, protecting customer and employee data of any kind is more urgent than ever before. In fact, according to last year’s Security and Compliance Research Report, nearly half of SAP users have greater concerns regarding the security of their SAP landscape than they did 12 months previously.
In this blog post we’ll take a look at the security issues surrounding the Internet of Things and what you should be doing to combat such risks.
The risk of technology over security
Due to the technology and idea of networking devices still being relatively new, security has not always been at the forefront of IoT product design. A particular risk is products that are sold with out of date or unpatched operating systems and software.
Similarly, hackers rely heavily on coming up with ways to use devices that were never conceived of before. This contrasts with the more human nature outlook of developers, who are likely to be more focused on the way things are supposed to work.
Taking a common sense approach to IoT security in this respect is key. You and your IT team should be treating this threat in the same manner and with the same degree of seriousness as regular IT security.
Educate consumers as well as front-line staff in security best practice
Making sure IoT security guidance is a natural extension to your current IT practices and guidelines is vital. As touched upon, this should be treated no differently to maintaining best internet security practice such as anti-virus software and standard use procedures. Despite IoT being a relatively new feature of the workplace, differences should not be seen between how a computer or laptop is protected compared to an app or device.
A common risk is one that has been associated with technology since the birth of devices and computers - users failing to change passwords from the default factory settings. Even in cases where passwords are updated, often they are not done so securely enough. Again, making sure these fall in line with company guidelines and requirements is crucial.
The same can be said for software updates. While ideally this should be up to your IT department to keep an eye on, depending on your business’ size it’s inevitable that your employees will come across this too. Ensure employees know who to report this to and how to take subsequent action should be outlined in your standard procedures.
IoT specific security products and software
While there should be little difference in your approach to protecting IoT devices compared to standard computer security, you must bare in mind the different operating systems in use and how they react. In most cases, IoT devices will use a specialised operating system that is completely different in both process and function when compared to standard PCs or consumer devices.
When it comes to upgrading or installing forms of software, specific products designed for your IoT device must be used. If not, it’s likely they simply won’t even run on most devices, never mind be supported.
Securing the cloud
It’s not just the device that needs to secured, access to the Cloud is just as critical if not more so. Before taking such products on board as part of your business strategy, make sure you do all the usual internal and independant checks to make sure it’s safe, secure and up to the job.
Even if your app or software is purely used internally and isn’t on show to the public, in theory it must be publicly accessible in order for the ‘things’ to access it via the internet. Whether it’s in the cloud or in the data centre, it needs testing and protecting.
To further improve security, an IoT device should be segmented into its own network and have network access restricted. The network segment should then be monitored to identify potential anomalous traffic, and action should be taken if any problem occurs.
Think about how connected you need to be
Okay, so this goes against the whole idea of IoT, but actually think about how connected you need to be. While in many business cases such devices will significantly improve efficiency and productivity, in others or in more personal scenarios, you may be just considering IoT applications as interest in them is currently high; when in fact it doesn't add to your business and perhaps isn’t actually worth the potential risks. While IoT will revolutionise some businesses, it won’t be the case for all.
Set up a dedicated and specialist IoT security team alongside current infrastructure
As reinstated throughout this post, integrating IoT security with your wider IT strategy and processes is vital. While directors and business leaders should be aware of the impacts, having a dedicated IoT specialist oversee your process will ensure best chance of security compliance.
This specialist may be your current head of IT should they have the awareness and capabilities; either way they should work intrinsically with your IT team to incorporate best practice across the whole system.
Our first ever IoT Symposium is on the horizon. Taking place in Dublin on Thursday 21st June, the event will feature knowledge rich sessions with experts from across the SAP spectrum. The day will also provide excellent networking opportunities across nine different breakout sessions, including machine learning, SAP Leonardo, AI and security & licensing. To find out more and book your place, please visit the event page.