Why consumer IoT is now a serious threat to the business
Consumer IoT has long held a reputation for poor security standards. Homes today are filled with connected devices. It’s not just smart speakers, it’s app-enabled espresso machines and wifi-connected security cameras. In fact, consumer electronics will account for 63% of all installed IoT (Internet of Things) units in 2020, according to Statista.
These demands are in great demand and saw a surge in adoption amid lockdowns earlier in the year. Manufacturing IoT devices is therefore lucrative and consumers are increasingly purchasing cheaper low-end devices. Unsurprisingly, security standards aren’t particularly high.
In the business world so far, the vulnerabilities and security pitfalls of consumer IoT haven’t been much of a problem — privacy-savvy execs might have stretched to turn off the office Alexa during a particularly sensitive meeting. But with only a third of workers set to return to the office by fall, the workers’ home has become the workplace itself; if it’s awash with unsecured IoT, that’s a serious cybersecurity issue. 15% of IoT devices owners still use default passwords, so chances are high that most businesses have at least one employee with a vulnerable device — a cyber attacker only needs access to one.
“The majority of IoT devices purchased for the home are relatively cheap and little effort is made to protect them at a hardware or software level at this end of the spectrum by manufacturers,” Darryl Jones, Director of Product Management for IoT, at digital identity specialist ForgeRock told TechHQ.
“From poor credential management, aging firmware, and redundant access points left in consumer devices to infrequent security updates, these are often insecure from the outset.”
In 2020, CISOs and their equivalents have been blindsided by a spike in attempted cybercrime. Phishing emails leveraging the circumstances have surged, while a sudden migration of the workforce to remote work led to a proliferation of new endpoints to protect. As businesses and workforces have gone online, criminals have followed in droves.
At the same time, in 2019 alone, cyberattacks on IoT devices were up 300% and are likely to have continued growing.
The most infamous example of IoT device vulnerability was the wave of Mirai botnet DDoS attacks in 2016, which, at one point, took down internet access on the whole east coast of the US. The US government initially suspected a rogue nation-state, but the culprit turned out to be a network of 400,000 compromised consumer IoT devices weaponized by a disgruntled Minecraft player.
So, why were business leaders caught off-guard by the threat of consumer IoT?
“Simply put, the pandemic changed the landscape. They were playing chess, now they need to play checkers,” said Jones. “Device vulnerability has been there all along, but the huge increase in numbers of WFH employees and the increase in all things digital due to the pandemic has increased the severity of the problem by an order of magnitude.
“Although CISOs have been working for years to secure their devices and networks, these changes present new and complex challenges for business leaders and CISOs alike.”
Jones suggests that revised cybersecurity strategies geared to a future of distributed working must account for increased threats not just in the area of Bring Your Own Device (BYOD), but also in other employee-owned devices that can access the network.
“Businesses should explore new in-home technologies that allow for corporate network segregation so that a breach in the part of the network which contains consumer devices doesn’t contaminate the part used for corporate purposes,” said Jones.
One approach is for businesses to mandate that private wifi networks are created to host corporate devices only — this is guidance that the FBI has given repeatedly in the US. Governments must also outline codes of best practice or, better yet, legislation when it comes to IoT device security. Last year, Finland became the first European country to certify safe smart devices, where products that meet the required standard are awarded a clearly visible ‘Cybersecurity label’.
“Having a unique digital identity should be the new security baseline as it can be used to help protect workplace devices, and existing or new in-home consumer devices. Additionally, adopting a Zero Trust or CARTA security model can help in this new normal by enforcing security at every interaction and understanding normal device and user behavior to identify suspicious interactions,” said Jones.
“Businesses should also adopt new enterprise security policies and employee training that require the use of private networks, and limit usage of those networks to corporate devices.”
“Early intrusion detection is also still crucial. Companies should add solutions to detect anomalies including when a new device is connected to the network, as well as other monitoring solutions —endpoint, behavioral, network…”
- Personal details of 106 million international travelers to Thailand exposed
- Embedded finance ensures BNPL is not making banks irrelevant
- Only a third of developers truly understand the security policies they work with
- There’s a gender barrier to mobile phone ownership in Asia – and it matters
- Advocating a sustainable environment with modern technologies