On 29th April, a landmark law came into force in the UK. The law (catchily titled the Product Security and Telecommunications Act) regulates the security of smart devices.
To the best of our knowledge, this makes the UK the first country to create cybersecurity standards targeting the internet of things (IoT). It’s a reminder that IoT brings risks as well as benefits. This post is all about those risks and how to manage them.
A quick definition of IoT
There’s a lot of debate about the name “internet of things”, but we don’t really need to get into that here. For our purposes, we’re using it in the popular sense – devices that exchange data over the internet.
It could be smart fridges, smart speakers or wearable tech. It could be anything from IP CCTV to building management systems that allow remote control of door access, heating, lighting and so on. The list goes on and on. They’re useful and convenient. But they’re also risky.
What are the security risks of IoT?
To state the obvious, IoT devices are connected to (you guessed it) the internet. So, that means they’re a potential gateway to the network they’re on, as well as any other device on that network.
In principle, this is no different from any endpoint within an office. But the difference is that many IoT devices simply don’t prioritise security. Weak default passwords, infrequent firmware updates and unencrypted communication are all too common.
This can make them an easy infiltration point, either by directly accessing the device or intercepting data it transmits. From this, they can go anywhere. They could access other devices on the network, potentially accessing highly confidential information or giving attackers leverage for a ransomware attack. On a grander scale, IoT devices could be used to execute a botnet attack.
So, the title of this (hacked via your fridge) is only half-joking. Even something as innocent as the office smart speaker can be a way in, especially if the network is unsegmented.
Cyber attacks via IoT devices – a real-world example
There are many real-world examples of attacks via IoT devices. One of the most significant is the Mirai botnet.
Mirai is a piece of malware that scans for and infects vulnerable IoT devices. From there, it uses them in botnet attacks. In 2016, it attacked DNS provider Dyn, in one of the most significant DDoS attacks in history. This made hundreds of websites inaccessible, including some major ones like GitHub, Twitter, Reddit, Netflix and Airbnb.
It’s an example that shows just how far these attacks can go. It didn’t just affect Dyn, but their client base too, with huge financial and reputational cost. This should be food for thought for any business.
What should MSPs do?
The most important thing for MSPs is visibility of customers. Asset-tracking and full network inventories are a must.
This sounds obvious, but it’s always a challenge for MSPs. Your customers don’t always report every device to you, or even see it as a threat. Of course, it’s not just what the devices are, but where they are. The tablet in a director’s electric car might be logged into business-critical software via an unsecure 4G connection.
It’s a potential problem, and the reality is that a business will likely hold their cybersecurity provider responsible if they’re attacked. There are many ways of managing the risks. Heimdal provides excellent asset-tracking. Sendmarc will massively improve email and domain security, preventing IoT devices from compromising email accounts.
An opportunity for the channel
Those are just two examples of how Brigantia vendors can help. We’d be more than happy to advise on any specific cases. As far as the channel is concerned, we should see this as an opportunity.
It’s our collective job to educate businesses on the risks these devices can pose. By doing this, we can continue to bolster security, increase customer loyalty, and increase recurring revenue streams.
Unsure of how to go about this? Get in touch and we’d be delighted to advise on an approach.
