Businesses that have been fortifying their computers against ransomware and other threats could be overlooking additional vulnerabilities within their ecosystem. While the office computers may be as secure as Fort Knox, IoT devices such as the copier, scanner, digital signage, parking lot security camera, or connected thermostat could be at risk, and hackers know this.
In fact, research released this month by cloud security firm Zscaler shows a 700 percent increase in attacks on IoT devices over the past year.
No people; plenty of IoT
The pandemic emptied offices, but IoT activity was still humming away despite the absence of personnel. Three-quarters of the IoT usage during this time, according to Zscaler’s research, was unencrypted. There is plenty of blame to go around for IoT vulnerability, cybersecurity experts say, from stretched-thin IT departments to low-security standards in the manufacturing process.
“Manufacturers still do not place a premium on cybersecurity; it’s not as `sexy’ as having all sort of other bells and whistles,” says Wayne Reed, a cybersecurity consultant in Atlanta. But lax security features on IoT devices are putting businesses and their customers at risk.
“Having a vulnerable IoT device is like waving a red cape at a bull. Eventually, it is going to charge,” Reed adds.
In a recent State of IoT Security article, IoT For All lamented that:
“Many IoT devices implement new protocols, platforms, and solutions that have not been thoroughly vetted for security issues, resulting in vulnerable products. “
Hackers are watching the cameras
Security cameras have been especially vulnerable IoT devices. What’s most dangerous about these devices is that even if hackers can’t move laterally inside a network, the camera itself can provide plenty of proprietary information and images to hackers. For example, footage from the cameras can be used for extortion, leaked images from inside manufacturing facilities can threaten proprietary patents, and cameras from medical facilities can compromise patient data.
“Security camera manufacturers simply haven’t kept pace. Ironically, the camera that is supposed to provide a business with a sense of security may be the most dangerous piece of equipment on a corporate campus,” Reed points out.
In March, this exact scenario played out when over 150,000 security cameras worldwide were hacked. The hackers breached a massive trove of security-camera data collected by Silicon Valley startup Verkada. Footage captured included outtakes from police departments, prisons and psychiatric hospitals.
“Security cameras are just another piece of the puzzle for already overworked MSPs that are trying to provide quality coverage to a client,” Reed says. MSPs also have the challenging task of persuading those in charge of the budget that IoT devices can pose a threat.
The State of IoT article spells out the disconnect:
“The average executive believes IoT devices make up 1 percent of their network; in reality, these devices actually make up about 43 percent of the access points. Gone are the days where PCs are your main concern.”
MSPs need to audit devices and explain to clients the threat posed by IoT. Clients then need to adjust their cybersecurity spending accordingly. Clients and MSPs also must be vigilant that passwords on the IoT devices aren’t set to the default or that non-IT people don’t resort to lazy 1234 type passwords. Data from manufacturing floor sensors or security cameras needs to be encrypted. Older IoT devices that are being replaced should be disposed of properly so that data isn’t exposed.
“Because IoT is on an explosive growth trajectory and hackers are constantly scoping out businesses for new entry points, MSPs need to constantly scan and audit clients’ campuses for newly connected devices,” Reed advises.
But Reed adds, like so many security threats, the biggest weapon is awareness.
“Most people just aren’t thinking about cybersecurity when they plug in the office coffeemaker. That needs to change,” Reed says.
Employees, Reed notes, need to be stakeholders in security. They must be shown how IoT can revolutionize office life, but also how it can threaten it.
Also, Reed shares that another way to mitigate threats is simply to not have them connected all day if they don’t need to be.
“If the digital signage in the lobby doesn’t need to be on when the business is closed, don’t leave it on after hours. Don’t leave the connected copier on when no one is there. Don’t leave the scanner on,” Reed advises. “You’ll save money on electricity, and it’s also impossible for a hacker to hack a device that is turned off.” You are shrinking the window of a possible hack significantly by unplugging unneeded devices.
“Cybersecurity is an odds game. The more you can tilt the field in your favor, the less chance of an attack,” Reed concludes.
Photo: TippaPatt / Shutterstock