Connected devices are transforming homes and workplaces. Smart thermostats, ventilation, lighting, access and security cameras are already commonplace features of working life.
The potential for Internet of Things (IoT) devices to drive business efficiency and value goes much further. Smart trackers monitor the progress of trucks and products; built-in sensors alert manufacturers to the need for maintenance before equipment fails; products can even be programmed to send personalised marketing messages to consumers.
The trade-off, however, is a proliferation in the number of potential data breach points in your business.
Cyber criminals can exploit everyday objects to sinister effect. Compromised `smart locks' can leave a home unsecure. Building management systems can be hacked and shut down.
On a wider basis, the impact of some attacks can ripple across the globe. The 2016 attack that brought down the Dyn domain name system, for example, was brought about by compromised household devices, such as baby monitors and digital video recorders.
The devices were attacked by the Mirai botnet, which infected them with malware forcing them to report to a central control server. This allowed them to be used in so-called DDos (Distributed Denial of Service) attacks - blocking access to popular sites including Twitter, Spotify and PayPal.1
In August 2017, this threat took on a new form. While Mirai wreaked havoc by exploiting weak passwords, the Reaper botnet takes this a stage further, using software hacking techniques to infect networks.2
The rise of the Internet of Things is unstoppable. Studies predict that 25bn connected devices will be online by 2021,3 soaring to 55bn by 2025.4 However, the rate of adoption has outstripped the ability to secure them.
Many devices sold lack even basic security. There is often no obvious way for a consumer or business to change default passwords.
The National Cyber Security Centre believes that it will ultimately be possible to mitigate the impact of insecure devices but warns: “The `botnet of things' will present a serious challenge to cyber security for a considerable time to come.”5
Recognising this threat, the government recently issued a draft code of practice for IoT manufacturers.6 It lays down several principles for new products, including unique passwords, updatable software and secure storage of sensitive product credentials.
While the government has not ruled out future legislation, the code is an advisory one. For now, the burden remains on IoT device users to ensure secure operation.
One rule of thumb is to treat all connected devices in the same way as PCs, in the sense that they require regular updates. This is likely to require a change of mindset: it's natural to assume that a heating control system, for example, will require no further thought once it is installed.
Device security presents a particular dilemma for smaller businesses that may lack in-house technical expertise. Professor Tim Watson, Director of the WMG Cyber Security Centre at the University of Warwick, says firms considering IoT devices should see security support as part of their investment.
“Buyers should weigh up the value of the device to their business against the potential risk, and get expert advice,” he says. “They should also continue to ask questions of the manufacturers and add to the economic pressure for security by design.”