Securing the Growing IoT Threat Landscape

With insights from Zscaler, CGI, Trend Micro and Kaspersky, we examine the current IoT threat landscape and how businesses can protect against cyberattacks

With the rise of new technologies, businesses are fighting to protect their data like never before.

One area that continues to transform the business landscape is the Internet of Things (IoT). Referring to devices that connect and exchange data with each other, the technology has revolutionised business networks. 

However, as with any technology, IoT is susceptible to data breaches. A breach can occur when a cyberattacker, or threat actor, gains access to a device that collects and transits sensitive data, including personal information. Each IoT device can act as an entry point for threat actors, acting as a reminder to businesses that their network is only as strong as their weakest link.

An urgent need to bolster IoT cybersecurity

During a time of mass digital disruption, threat actors are taking the opportunity to conduct more sophisticated attacks. Organisations that do not have stringent cybersecurity protections or governance strategies in place risk a data breach that could be catastrophic to their operations.

Whilst IoT devices offer many benefits such as improving efficiency and productivity within the workplace, they also hold the potential to create complex attack surfaces.

As Nathan Howe, GVP of Innovation at Zscaler, explains, IoT devices can pose threats to an organisation as a result of weak security systems.

“These sorts of devices need to be treated within bounds of what you can control within your four walls,” he explains. “There should not be any connectivity from the IoT device to the Internet or vice versa. Ultimately, IoT devices should never exist in the same ecosystem as IT devices, or should they be considered part of an internal infrastructure. They should always be considered an external threat and treated as such. Companies not approaching IoT devices this way is the most significant threat.”

Likewise, Alex Woodward, VPC & Leader UK Cyber at CGI at CGI, adds: “A key consideration that decision makers need to make is how IoT devices are integrated. In an effort to draw on useful, existing data and optimise operations, devices can be “plumbed” into corporate and production networks. However, this may also serve as a route for threat actors to gain access.

“The responsibility for how these devices are deployed remains a challenge for the organisation to manage risk.”

Some of the security threats that IoT devices face range from weak credentials that are prone to hacks, unencrypted communication, or a lack of tight security measures. Also, as Lewis Duke, SecOps and Threat Intelligence Lead at Trend Micro states: “Infrequent software updates leave them vulnerable to known exploits, making them prime targets for attackers.”

One of the problems is also the sheer volume of IoT devices, given such high customer demands. As a result, their security measures can be lacking, making them more vulnerable to attack.

On this, David Emm, Principal Security Researcher, Global Research and Analysis Team at Kaspersky, says: “The most common attack vectors include device hijacking, where attackers take control of IoT devices to conduct malicious activities; and data breaches, which involve the unauthorised access and theft of personal or corporate data.”

IoT attacks are unfortunately often the result of little to no security management and no real patching. As a result, there have been several real-world incidents of significant security breaches within an organisation.

David cites the use of the Mirai malware in a 2016 attack as an example, where hackers exploited weak passwords in IoT devices, including cameras and routers, to create a botnet. 

“This botnet was used to launch a distributed denial-of-service (DDoS) attack, which brought down major websites across the internet,” he explains. “It's important to note that Mirai remains a significant threat today, with six out of the top ten threats delivered via IoT being variants of Mirai, illustrating its enduring presence in the cyber threat landscape.”

Some other shortcomings of IoT devices are inadequate security configurations. As devices often come with default passwords and open network ports, this can create greater vulnerabilities. 

“Many users either are unaware of these risks or neglect to change the default settings upon installation,” David says. “Manufacturers often fail to provide regular updates and patches, which means that even known vulnerabilities can remain open for long periods, exposing users to potential exploits.”

Sharing a responsibility to improve IoT security

What’s clear is that there should be greater collective responsibility between stakeholders to improve IoT security outlooks. A multi-stakeholder response is necessary, leading to manufacturers prioritising security from the design phase, to governments implementing legislation to mandate responsibility. 

Currently, some of the leading IoT issues relate to deployment problems. Alex suggests that IT teams also need to ensure default device passwords are updated and complex enough to not be easily broken. Likewise, he highlights the need for monitoring to detect malicious activity.

“Software and hardware hygiene is essential, especially as IoT devices are often built on open source software, without any convenient, at scale, security hardening and update mechanisms,” he highlights. “Identifying new or known vulnerabilities and having an optimised testing and deployment loop is vital to plug gaps and prevent entry from bad actors.”

A secure-by-design approach should ensure more robust protections are in place, alongside patching and regular maintenance. Alongside this, security features should be integrated from the start of the development process.

“Enterprises should always conduct security assessments before deploying any network-connected devices on their network, additionally, network segmentation and security monitoring should be a high priority,” Lewis says. “Governments can also play a vital role by establishing clear and standardised security requirements for IoT devices and also by helping to promote consumer awareness of the security risk associated with IoT devices.”

He continues: “However, it remains crucial for individuals to proactively protect themselves against cyber threats, implementing two-factor authentication on their devices whenever possible and enabling encryption on their home routers. These measures, among others, are vital for safeguarding against the evolving risks in the cyber environment.”

The future of IoT is now: Harnessing the power of emerging technologies

When it comes to implementing IoT device protections, there is still plenty to be done. Long-term, organisations will benefit from ensuring their devices are properly isolated which, as Nathan explains, could take the form of a zero trust architecture.

A zero trust framework can enable teams to have greater control over segmented networks, permit connectivity where needed and also prevent data breaches.

“With the right partner, there is a lot organisations can do to deliver a zero trust deployed system in which there is no attack surface and exposure to unpatched services and unmanaged systems,” he says. “This approach removes those systems from being exposed to attacks and being seen, while still allowing them to function, which is where the evolution of approach to these issues will continue to develop.”

The world of technology continues to become more sophisticated, with disruptive technologies like artificial intelligence (AI) enabling faster innovation. However, with such an opportunity, organisations around the world still need to remain aware of cybersecurity risks.

“SecOps teams need to be mindful of the risks new technology such as Quantum brings to the data traversing their network,” Alex states. “IoT devices often lack the power to implement newer cryptographic techniques such as Quantum resistant algorithms.”

To mitigate these threats, technology like AI and blockchain can often help to analyse IoT data. David explains how it can also monitor traffic for unusual activity and potentially thwart cyberattacks in real time.

“Looking ahead, there are some emerging technologies and strategies that offer promising avenues for enhancing IoT security,” he says. “As we continue to integrate IoT devices into our daily lives and industrial processes, understanding and mitigating the associated cybersecurity risks is paramount.

“By fostering collaboration among manufacturers, regulators and those who deploy them, and by embracing innovative technologies, we can better secure the IoT landscape against current and future threats.”


Make sure you check out the latest edition of Technology Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Technology Magazine is a BizClik brand


Featured Articles

Global IT Outage: CrowdStrike Falcon “Bug” to Blame

The cybersecurity firm vows to improve its software testing after a faulty Windows update caused a global IT outage and impacted essential services

How SAP is Helping Businesses Transform Cloud Strategies

Bain & Company now runs its core financials in 40 countries on SAP S/4HANA Cloud Public Edition, as SAP soars ahead with its cloud ERP transformations

AI Adoption Cited as Main Cause of Alphabet's Revenue Spike

Google’s parent company Alphabet reports a near-14% increase in its quarterly revenue, as a result of continued demand for its AI cloud computing services

Worldwide IT Outage: The Pressure on Cybersecurity Vendors

Cloud & Cybersecurity

Unleashing the Full Potential of Enterprise IT Investments

Enterprise IT

Worldwide IT Outage: Industries Face Total Disruption

Enterprise IT