On Oct. 21, 2016, a wide variety of websites and web services suffered major disruptions. People across the U.S. and various European countries suddenly had trouble accessing business cloud services, completing online transactions, updating their social media accounts, and following the news. Twitter, Amazon, Netflix, Yelp, and PayPal were among the sites that became unavailable for hours.
These disruptions inconvenienced people and interfered with important business activities, resulting in costly delays. What was the cause?
Throughout that day, Dyn Inc. suffered distributed denial-of-service attacks. Dyn is a company that provides domain name registration and other important online services. Hackers carried out the attacks by sending huge volumes of fake web traffic at Dyn servers. How did they manage to do this?
They deployed a strain of malware that helped them find and control poorly protected internet-connected devices, including security cameras and DVRs. The malware enabled them to recruit these devices to launch overwhelming traffic at Dyn’s servers. Websites and services depending on Dyn experienced disruptions as a result.
This is just one example of how the cyber security vulnerabilities that riddle the Internet of Things can lead to major problems. When internet-connected devices are hacked, individuals, businesses, and communities risk serious financial losses and compromised privacy and safety.
Why cyber security for the Internet of Things is critical
The IoT encompasses numerous objects, including security cameras, automobiles, TVs, refrigerators, thermostats, wearable technologies, and industrial sensors. These objects can collect, process, and share data.
Gartner Inc. predicted that 8.4 billion connected objects would be used around the world in 2017. The prediction for 2020 is 20.4 billion objects. Businesses drive approximately 57 percent of overall spending on IoT devices.
The IoT offers important advantages, including the potential for improved accuracy, efficiency, decision-making capabilities, cost savings, and growth in profit. Internet-connected industrial sensors, for example, help manufacturers carry out repairs and maintenance in a timely way, preventing emergency breakdowns that stall or slow down operations. The IoT can lower the rate of human error and reduce the amount of wasted materials and unnecessary effort for a given task.
Businesses and individual consumers can also benefit from the conveniences of the IoT. Connected devices perform various functions automatically, such as adjusting the temperature of a home or office during different times of the day. Once they’re set up, these devices can operate with a great deal of independence.
However, it’s important to realize that these advantages may be undermined by serious weaknesses in security. Before you add yet another connected device to your business or home network, you need to become informed about the risks and possible security solutions.
What are some of the security risks for the IoT?
The IoT is vulnerable to a variety of threats. Hackers may seize control of devices to compromise privacy, gain access to sensitive data, or launch a costly, disruptive attack that shuts down business operations. If connected devices aren’t configured properly, you may be unwittingly and unnecessarily exposing confidential information to the public or to specific entities, including corporations.
IoT technologies often have an insecure interface with various web and cloud services and with mobile applications. The attack on Dyn, for example, involved hackers scanning for internet-connected devices that had open, poorly protected ports. The devices were easy to discover and infect with malware. Weak login credentials, compromised data encryption, and a lack of firewalls are common IoT vulnerabilities that need to be immediately addressed.
Manufacturers often demonstrate lax security standards and produce devices that contain serious security flaws, including a strong susceptibility to physical tampering. Manufacturers may also not release necessary updates or upgrades to software and firmware. Even as hackers discover vulnerabilities to exploit, the devices remain unchanged. These kinds of security flaws allow hackers to easily bypass the use of login credentials, giving them the ability to shut down or control devices, spread malware, and obtain various kinds of data, including passwords, personal identifiers, financial and health information, intellectual property, details about the inner workings of a business, and video footage displaying the interior of homes and businesses.
Code written with serious security vulnerabilities may be used repeatedly across devices. One example is Devil’s Ivy, a code vulnerability recently found in a variety of IoT products, chiefly security cameras. Another consideration is how different devices interact in a network. For example, if hackers gain control of one device, will they then be able to access other systems or spread malware to other devices you rely on?
There are multiple threat vectors. Vulnerabilities get introduced in device manufacturing and supply chains. Third-party software may contain serious security holes. Vulnerabilities also arise when organizations and individuals configure devices improperly and fail to implement comprehensive solutions for network and device security.
One key security strategy involves strong user authentication practices, including restricted access for unauthorized employees. A 2016 study found that roughly 60 percent of security breaches originate from employee behavior. To help deal with both malicious action and occasions of error or neglect, it’s critical to limit login capabilities in effective ways and provide employees with training for safer computing practices.
Businesses also need to be able to reliably detect intrusions and unauthorized activities on their network. On average, businesses can take 191 days to detect an attack and 66 days to clean up the resulting mess. Evaluating the risks you face and the likeliest points of entry for attack will help you devise more effective security measures, such as round-the-clock network monitoring. Proactive measures that prevent or mitigate attacks are more effective than a purely reactive approach.
What are the costs of poor security?
According to the 2017 Ponemon Cost of Data Breach Study, the average cost of a data breach worldwide is $3.6 million, and the average cost of each stolen record containing sensitive information is $141. For U.S. businesses, the average cost of a data breach is over $7 million. In Canada, it’s roughly $5.78 million.
There are a variety of reasons for the steep costs. Companies permanently lose data and suffer delays in business operations. They spend time and money on restoring services and addressing the security flaws that resulted in the breach. They experience a loss of reputation and customer trust. Customers leave them for competitors and bring lawsuits against them for revealing confidential data. They face fines for failing to comply with regulations for their industry. Depending on the information that was stolen, both customers and employees may become victims of identity theft and other criminal activities.
Because they don’t have the resources and resilience of larger enterprises, smaller businesses are especially vulnerable to attacks. Approximately 62 percent of attacks are aimed at small or medium-sized businesses, and roughly 60 percent of smaller companies won’t be able to stay in business more than six months after a breach.
When you rely on an increasing number of connected devices, you take on a greater number of weaknesses for hackers and other unauthorized parties to exploit. Research different devices, and develop an understanding of their quality, the vulnerabilities in their hardware and software, and the most secure ways to configure them. Perform a thorough audit of your devices and systems to identify the vulnerabilities in your network and the greatest risks for a security breach. Furthermore, determine which assets need the strongest protection. With this information, you can draw up IoT policies for your company and implement effective strategies for improving security. You’ll be able to reduce the chances of a successful breach, detect and respond to attacks more quickly, and prevent ruinous financial losses.