IoT Security in Businesses - Is it Important?

Written By Emily Brooks

I love my Amazon Echo. I love that it can connect to the smart lightbulbs in my house, and all I have to do is say “Alexa, turn on living room lights” to turn them on. I also love my Ring camera. There’s nothing like knowing I can keep an eye on my cat while I’m away from home. Internet of things (IoT) devices make going through everyday life more convenient and comfortable. The same applies to businesses—using IoT devices in the workplace can add a whole new layer of convenience and efficiency to everyday operations. This convenience does come with a tradeoff, though. IoT devices pose a notorious risk to security because most do not come with built-in security features, and the diversity of IoT devices in businesses increases potential for attacks considerably.

 

IoT devices are not limited to devices like an Amazon Echo or smart lightbulbs. IoT devices can include things like printers, fitness trackers, some medical devices, security systems, routers, and many other types of devices that are frequently found in homes and offices. If your business has a SimpliSafe security system with a base and cameras that connect to Wi-Fi, that base and those cameras are all IoT devices. If the wireless printer at your desk uses Wi-Fi to function, that printer is an IoT device. Typically, these devices can be accessed and managed remotely through some software or web application. Remote access is extremely convenient and helpful in a pinch, but also means anyone can attempt to access your device. Having IoT devices connected to a network without proper security can significantly increase the risk of attack, which could lead to disaster. 

 

Lauren Ballejos with NinjaOne says in her article How to Secure IoT Devices, uninformed users may add an IoT device to their environment without ensuring proper security, assuming the device is already secured. IoT devices are generally not built with security in mind, so they often do not have built-in security features like encryption, strong authentication and authorization practices, and frequent software and firmware updates (Fortinet, What is IoT Security? Challenges and Requirements). In addition, when there are firmware and software updates available for these devices, they often need to be updated manually, making them easier to overlook than other devices on the network, like PCs (Ballejos).

 

Threat actors can use the unsecured IoT device as an access point to the network, or they can launch an attack on the device that can spread to other devices on the network. Often, these devices are susceptible to attacks like Man in the Middle (MITM) attacks, where the unencrypted information being transmitted between the device and another device or application is intercepted. The intercepted information can then be accessed by the threat actor before being delivered to its intended destination. MITM attacks are just one of many examples of how these devices can be exploited.

 

Often, IoT devices use default usernames and passwords straight out of the box. Changing the default username and password as soon as possible is an excellent first step to take when introducing a new IoT device to an environment. Encrypting connections wherever possible is another way to ensure threat actors are unable to access sensitive information being transmitted across devices and applications. Choosing to purchase IoT devices from vendors who prioritize security in their product designs can also reduce the risk of a device being compromised (Ballejos).

 

Network segmentation should also be used to separate IoT devices from critical data and systems (Ballejos). Network segmentation entails splitting a network into smaller networks called subnets. Separating IoT devices from critical parts of the system allows traffic to be isolated more easily. If a threat actor manages to compromise an IoT device, they will be limited in the information they are able to access, since the device is not connected to the critical parts of the network.

 

 Keeping close track of device inventory and removing any unused IoT devices from the IT environment is also imperative. Keeping track of devices allows a company to ensure all endpoints on the network are secured properly. Once all devices are accounted for, monitoring tools can be used to watch for unusual activity and for unauthorized (rogue) devices that have entered the network. Unused devices can be easy to overlook—devices that are out of sight tend to easily fall out of mind. Failing to patch unused devices puts them at higher risk than up-to-date ones, because it allows attackers to use known exploits to compromise the device. Active devices should be updated as soon as the updates are available (Ballejos).

 

Lastly, securing the technology is not enough. Security awareness and best practices training is crucial in keeping a business’s systems secure. Version states in their 2024 Data Breach Investigations Report that 68% of breaches were caused by non-malicious human elements, like an employee making a mistake. Having clear and strong cybersecurity policies, including policies regarding the use of IoT devices, is imperative. Training users helps a company to enforce cybersecurity policies effectively, and helps to reduce the potential of a very costly mistake.

 

Do you have IoT devices in your business environment that need secured? Contact us at SKBinfo@skbcyber.com, or visit us at skbcyber.com to request a free consultation! 

Emily Brooks
Previous

Diving into CrowdStrike’s 2024 Threat Hunting Report
Next

Is Your Business Prepared for the 2025 Threat Landscape?