When it comes to IoT, there’s no limit to the thoughts from experts and security professionals about strategies for adapting to the rapidly changing connectivity landscape in the average office. This landscape is changing daily.
One statement we can make with certainty is that increased connectivity leads to increased security needs, and that provides a significant opportunity for MSPs. For instance, Gartner predicts that by 2020, IoT security will make up 20 percent of annual security budgets.
MSPs should be positioning themselves for a slice of this increased spending pie by offering specific pricing packages that specifically include IoT. MSPs need to educate clients about the inherent risks in IoT. That innocuous-looking coffee pot could bring down the whole company.
Earlier this year, Smarter MSP caught up with University of Hawaiʻi – West Oʻahu’s Information Security and Assurance faculty to discuss specific threats to IoT devices. The university, which was recently ranked in the top 3 percent of cybersecurity programs by a leading firm, sat down with us again this week to continue the discussion with a more general look at the IoT landscape.
How has IoT changed the security landscape?
MSPs used to just concern themselves with one or two attack vectors from hackers, but the arrival of IoT has upended that calculus. The introduction of any new computing device has the potential to increase the attack surface of a network and its connected systems.
In the case of widespread adoption of IoT devices, the attack surface has increased considerably due to the quantity and diversity of IoT devices. This diversity creates a complex challenge for information technology and security professionals.
In addition to connected printers, security cameras, and locking mechanisms, you also have more and more people bringing their own devices (BYOD) into the workplace, connecting them, and that adds even more layers of complexity.
How do MSPs defend customers in an IoT world?
A principal differentiator between the ability to effectively mitigate threats posed by IoT, relates to the complexity of the quantity and diversity of device characteristics. The different implementations of hardware and software impact the complexity of security solutions. Information security strategies for IoT also need to adapt to reduce the attack surface and vectors for enterprise environments.
The design of IoT devices that include internal web services and applications to facilitate remote functionality increases the potential for exploitable vulnerabilities, which creates a multi-layered security challenge. An additional security consideration for MSPs defending IoT is cyber-physical systems where sensors and actuators may introduce other physical risks.
The biggest threat is employees connecting to the office network IoT devices with software vulnerabilities that can be exploited by hackers. IoT devices are convenient and solve specific problems (environmental monitoring, cameras, health monitoring, etc.) at a reasonable price. This makes them very attractive and easy to deploy in an environment for any user leading to the prediction of billions of IoT devices to be on the Internet in the coming years.
However, there is no assurance that the software on these devices is free from vulnerabilities that can be exploited by a hacker. Most of the time, users and manufacturers treat IoT devices like toasters and “set it and forget it,” leaving potential software vulnerabilities exposed to the Internet for years. This is the type of threat that increases the risk that a business will become a victim of ransomware and a significant data breach.
Why are certain devices targeted?
The targeting of specific IoT devices may depend on several factors. These include the intended objectives of adversaries, the popularity of the device in the market (cameras, temperature monitors), and the level of effort required to compromise of a specific class or type of device.
Other factors may impact the design and security of IoT devices. These include cost, size, processing and storage capacity, and power consumption, where hardware and software designers prioritize and balance desired functionality with business factors and risk.
In instances where IoT devices represent a target of opportunity, the level of insecurity often corresponds to a software programming design error that introduces software vulnerabilities capable of being exploited by adversaries.
These vulnerabilities could result in the broader impact for devices that share the same software code base. This condition highlights the importance of prioritizing security considerations in the software development process.
Moving forward, it’s clear that IoT-connected devices will require special cybersecurity attention. MSPs can be the ones that provide the attention, allowing their SMB partners to focus on running their business.
Photo: optimarc / Shutterstock
