No matter how much cybersecurity professionals warn organizations about the potential cybersecurity threats associated with deploying any kind of Internet of Things (IoT) devices, it usually takes some real-life examples impacting consumers in a high profile way to really garner the attention of business executives.
This week multiple reports surfaced showing how hackers are compromising video surveillance systems from Ring, a unit of Amazon, to verbally harass people in their homes. Widespread media coverage of these breaches is suddenly making everyone much more aware of the potential risk. Last month, a field office of Federal Bureau of Investigations (FBI) in the U.S. further raised awareness by issuing a bulletin reminding consumers that Smart TVs that connect to the Internet also often come with built-in cameras.
Greater awareness of these issues should make it easier for cybersecurity professionals to encourage organizations to be more proactive about cybersecurity. The results of a survey of IT and business shared this month by Twilio and ReadWrite Labs finds 94% of respondents are considering, evaluating or implementing IoT projects. Only 28% of respondents said their organizations have deployed an IoT solution, so there is still plenty of time for cybersecurity teams to avert a potential catastrophe.
A recent survey of more than 3,000 IoT decision-makers published by Microsoft suggests organizations are now at least starting to fully appreciate the scope of the IoT cybersecurity challenge. A full 97% of the survey respondents admitted they have security concerns when implementing IoT. Alas, those concerns don’t appear to be holding back IoT projects. A total of 85% of the survey respondents have implemented at least one or more IoT projects.
Undoubtedly, there will be a spate of IoT cybersecurity regulations that will soon be proposed or advanced now that breaches impacting voters are starting to generate headlines. Most recently, the government of Australia posted a draft of a proposal for establishing a set of best practices for IoT cybersecurity. A law passed by the state of California mandating that all devices connected to the Internet must have “reasonable cybersecurity measures embedded.”
From a cybersecurity perspective, such initiatives are generally a good thing. However, what precisely is a reasonable cybersecurity measure may be in the eye of the beholder. As always, however, cybersecurity professionals will need to make sure their organizations appreciate the fact that there is a world of difference between checking a compliance box and truly being secure.
In the meantime, the one thing that should be apparent to all by now is that the attack surface that now needs to be defended across an enterprise has been greatly extended. Cybercriminals are well- aware of the opportunity IoT devices present them. It’s easy to see how a single breach of an IoT device could compromise an entire enterprise. Hopefully, organizations will be savvy enough to segment IoT networks in a way that limits the potential havoc that can be wrecked by a single breach.
In the meantime, cybersecurity professionals should be paying close attention to how consumer devices are being compromised because it’s only a matter of time before the same techniques are applied to industrial IoT environments.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.