It was a CIO’s worst nightmare. In October, an “old-school” cyberattack — distributed denial of service — took down prominent websites including Netflix and Twitter.
However, unlike previous attacks, this one took a new approach: hacking thousands of consumers’ internet-connected devices. In this new age of cyberattacks, web-connected devices like DVRs, appliances and cameras have now become more than consumer goods, they have become weapons.
If we have learned one thing about security in the age of smart, connected devices it is that no one is immune to data breaches. Security is an ongoing concern with anyone leveraging IoT technology in their operations. Every additional device or connection opens up another possible point of entry for real users and also for those with malicious intent.
Health care organizations are especially vulnerable. In 2015, three of the seven largest data breaches on record were health care related, with the Anthem breach taking the top spot overall, affecting nearly 80 million people and costing an estimated $37 billion.
Financial and payment systems also are at risk. Target’s payment terminal breaches affected hundreds of thousands of dissatisfied customers and forced the company to spend millions of dollars on technology upgrades.
Cyber criminals are increasingly targeting any company with access to lucrative personal data like Social Security numbers, birth dates, e-mail addresses, payment histories or medical records. Home networks also can be hacked through poorly secured IoT devices (such as connected light bulbs), but the risks are limited to the individual.
That is not the case for large organizations. As dozens of firms already have experienced, data breaches and cyberattacks are more than just a security problem. A data breach can have long-term detrimental effects to your business in terms of shareholder confidence and corporate reputation.
Now that several major retailers and health care organizations have come forward as victims of cyberattacks, other organizations need to take a close look at their own security practices and networks to mitigate security risks where they can.
Why are large organizations susceptible?
Many organizations rely on legacy systems and have not invested in security at the same rate as the growing threats they face. To complicate matters, the rise of digital technology means devices aren’t just connected to the internet; they are often connected directly to the organization’s network, establishing easy access to data that seems sufficiently protected. When vulnerabilities are exposed in connected devices or their networks, both can be breached.
There are three basic ways hackers gain access:
1. Malware: Malware can infect an organization’s network using the IoT device as the point of entry. Once a network or system is breached and infected, it is easy for the hackers to take what they want for as long as they want until the hole is plugged. Cisco recently reported that in 60 percent of data breaches, data is stolen within hours. Worse: 54 percent of breaches are not discovered for months, leaving the security hole open.
2. Software updates: If your users are not updating their software with the latest version they could be missing necessary patches or fixes leaving their device and network vulnerable.
3. Lack of basic safeguards: Some devices do not initially include strong access controls or authentication processes. This allows hackers to easily gain unauthorized access into these devices or networks.
What can you do about it?
Most organizations already must comply with regulatory bodies on protecting data like transaction information and patient privacy records.
But while these regulations require security to be addressed, they don’t tell you what safeguards to implement specifically.
In today’s competitive landscape, where barring digital technologies is not an option, organizations need to understand their device’s vulnerabilities and take the necessary steps to mitigate security risks.
Your corporate firewall is no longer enough. Integrating security into product design is not an easy task — but it is a necessary one. There is no one-size-fits-all solution, so it is essential that security is looked at holistically from the start to ensure the device, as well as all devices and applications it interfaces with, are built securely by default.
Here are some of the best practices:
• Leverage secure boot, authentication, encryption and anti-tamper technology in product design;
• Use protocols and embedded firewalls for secure communication;
• Enable device visibility based on remote command audits and event reporting;
• Utilize remote policy management and integrated security management systems;
• Develop policy-based filtering to provide a critical missing layer of security for medical devices;
• Consider limiting the number of device interfaces;
• Deploy mechanisms that require physical proximity to authorize critical functions.
Life cycle risk management
Because cybersecurity risks are continually evolving, it is not possible to eliminate all risks in the design and development of the device alone.
Updating operating systems regularly is an important part of your ongoing security strategy. Hackers target vulnerabilities in operating systems, and regularly installing updates helps close those holes and protect your data.
We recommend developing a policy of notifying users of important software and security updates and enforcing update requirements as necessary.
In the race to market with new devices, security is often an afterthought, turning you into your own worst enemy. To be successful and reduce the chances of a potential breach, organizations must identify their security risk, balance that risk with device functionality and create a plan for complete security life cycle management.
Jason Voiovich is chief customer officer at Twin Cities-based Logic PD.