After years of hype, anticipation, and steady uptake, the Internet of Things (IoT) seems poised to cross over into mainstream business use. The number of businesses that use IoT technologies has increased from 13% in 2014 to about 25% today. The worldwide number of IoT-connected devices is projected to increase to 43 billion by 2023, an almost threefold increase from 2018.
McKinsey notes that as IoT become easier to implement, it will open the door for wider adoption by enterprises spanning industry, business focus and even the size of the organisation.
IDC forecasts IoT investments to grow at 13.6% per year through 2022.
To be clear, IoT is not limited to smart devices such as wearables and smartphones. IoT can be found in climate control, traffic systems, medical practice and even in education. At issue is given the disparity in the device use and the extent to which these connected devices have intelligence built into them, how do you keep the enterprise secure?
Vulnerabilities that come with IoT
The case of a major bank heist in Asia of a few years back was brought about by the discovery by cybercriminals of an old router in the bank’s datacentre. In that instance, the router – an IoT device – had unpatched firmware which made it vulnerable to hacking. And that was what happened. But Jonathan Jackson, director of engineering, APAC at Blackberry, is more worried about another element that more current generations of IoT technology can do, and are doing in some use cases, and that is the capturing and storing of data.
That IoT devices store data is not a new or novel thing. Our smart devices, phones, watches, headsets and earpieces, are all IoT devices and many store data. Jackson says it is the storing of data and information which has an impact on consumers with regards to their data, and obviously, their privacy.
IoT and consumer IoT devices have found a place in our home network. This has, according to Jackson, effectively become a big problem for enterprises during the COVID situation where everybody is working from home.
“It now means that the home is becoming a new kind of makeshift enterprise. And that is a big challenge for enterprises, who are struggling with an expanding threat footprint, trying to protect data and devices, and assets and people.”
According to Jackson, this has the spillover effect of an acceleration in threat actor activities.
“They (threat actors) have now got multiple avenues for an attack at their disposal. Previously, everything was protected by an enterprise in a powerful set of security controls and measures. But suddenly that has been eroded and taken away overnight because now everybody is suddenly accessing corporate information and accessing data on an unsecured potential home network. And that is a big problem for a lot of companies out there today,” he surmised.
What’s with the Cybersecurity Labelling Scheme
The Cyber Security Agency of Singapore (CSA) has launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices, as part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore's cyberspace.
Under the scheme, smart devices will be rated according to their levels of cybersecurity provisions. This will enable consumers to identify products with better cybersecurity provisions and make informed decisions. The scheme hopes to become an incentive, in and of itself, for device manufacturers to develop more secure products, even as they respond to shorter time-to-market cycles.
According to Jackson, Singapore’s CLS is along the lines of other frameworks such as in the UK. He lauds the effort and says it will give consumers insight into the potential protection and the security controls that are provided. It will also identify which manufacturers are taking security seriously.
“We know that IoT devices are usually created with – from a consumer perspective – to be functional, capable, very productive devices – just get things done with slick UI and design. Often security is not even thought about. If it is, it needs to be bolted on right at the end. And that is a big challenge. Initiatives, like CLS, are going to help to address consumer confidence in IoT devices that are coming into our homes and enterprises,” he commented.
IoT in the WFH – a CIO/CISO concern
Jackson noted that in Australia, homes typically have different smart devices connected to a flat network. With people now working from home, that same home network now has access to corporate data.
One technique that may be deployed in WFH environments is micro-segmentation – a technique used in data centres to create logically distinct security segments down to individual workload levels and define security controls and security services for each unique segment.
Here Jackson brings the idea of zero trust – making sure access to data and networks is limited to only authorised devices, and that those devices go through the authentication process each time a request is made.
Highlighted by the FBI as an IoT best practice, Jackson acknowledged that implementing zero trust is a big challenge for organisations today, especially in this COVID-19 world that we are currently living in.
He warned that threat actors are actively looking for opportunities with the least resistance, and unfortunately, some IoT devices present unsecured open opportunities to the internet – a way to backdoor into a home network that has corporate data on it. The Mirai botnet attack is an example of a threat.
Cyber hygiene – real of hoax
Asked whether people understand the idea behind cyber hygiene, Jackson skirted the query instead commenting that people should understand the data and privacy implications of the information that they are sharing. They should also understand the vulnerabilities that exist on unpatched systems, on unmanaged devices where there are no security controls, he added.
He alluded to the digital detox which involves a review of cyber hygiene and cybersecurity practices.
“It is taking stock of what has access to what information, where is your data being stored, how it is being encrypted, who has access to information and what will happen if an organisation or device or system or cloud environment is breached,” he explained.
For him, it comes back to zero trust.
Jackson says IoT device manufacturers must take the security aspect of the devices they make seriously. These devices now store information, they have data traversing the cloud with data stored somewhere. Manufacturers must look at a security-first approach to software engineering, what Jackson calls industry SDLC (software development life cycle) – a set of measures to make sure that security is built into the products they are delivering from the start and is not bolted on afterwards.
For CIOs (and CISOs), they need to have the assurance that the devices that are being used by the consumers in their home or even in the enterprise, must meet a minimum standard set of security capability and requirements to ensure that corporate data is secured at all times.
“And that is a big challenge today for organizations. But things like this initiative from Singapore with the labelling scheme is a great start to be able to bring security front of mind to both manufacturers of IoT devices as well as organizations and consumers who are utilising these devices today,” he concluded.
Click on the podchat player to listen to Jackson as he candidly discusses some of these vulnerabilities and ways around protecting both edge and core.
- Let’s start off with what does BlackBerry have to do with IoT?
- What vulnerabilities are we seeing with consumer IoT devices and what kind of spillover effects could this have in a work-from-home world?
- What is your take on the Singapore governments Cybersecurity labelling Scheme?
- How does the scheme help in tackling the problem of hacking and cybersecurity in the IoT ecosystem?
- How do you see CLS contributing to the overall cyber hygiene levels of end users?