October is National Cyber Security Awareness Month (NCSAM) and, in this blog post, I am exploring the potential threats that come with the explosion of the Internet of Things (IoT).
As most of us know by now, the IoT offers organizations the opportunity to introduce hugely disruptive services to the marketplace. These services make us all happier, healthier and more productive. But they all have one thing in common: data. In fact, Cisco estimates that the total amount of data created by all devices will reach 600ZB per year by 2020, up from just 145ZB per year in 2015. The IoT is the driving force behind this trend.
Yet this creates major security and privacy risks for the companies providing these services, especially considering sweeping new EU data protection laws set to land in May 2018. It’s time to look to advanced security solutions including analytics and threat intelligence to mitigate these risks.
More things, more data
Gartner estimates there’ll be 8.4 billion connected “things” in use by the end of 2017, rising to 20.4 billion by 2020. They range from home routers and smart fridges to connected cars, wearable technology, and life-saving medical devices. They offer companies the chance to disrupt markets, drive profits and create unique experiences for their customers.
This incredibly complex network of internet-connected sensors and embedded computing devices is powered by data. It’s collected in huge amounts and turned into actionable insight, perhaps enabling a smoother driving experience, more efficient business processes, or healthier humans. Some is more sensitive than others: data collected from head-mounted displays could have far more profound privacy implications than petrol levels in users’ cars, for example. Data is also increasingly shared with third parties to create innovative new services – creating extra risk which needs to be managed.
A goldmine for hackers
The bottom line is that malicious actors have a wealth of potential opportunities here, capitalizing on the fact that many IoT systems are poorly engineered and protected. A brief look at OWASP resources will show you just how large the potential attack surface is. Personal data could be lifted from smart devices at home including the router to launch identity theft attacks – causing a major financial hit to customers. Location tracking on devices could be monitored to rob victims if they’re known to walk home a certain route.
Even something as simple as a smart fridge not ordering milk could indicate an unattended home ripe for burgling. It could get even worse: users could be blackmailed with their web browsing data, or even held to ransom if hackers are able to modify drug infusion pumps remotely. Companies might also want to deliberately spoil datasets to interrupt key IoT services offered by their rivals.
Time for a new approach
With the General Data Protection Regulation set to levy huge fines of up to 4% of global annual turnover (or £17m) for non-compliance, there’s never been a better time to re-evaluate your safeguards to ensure sensitive IoT-generated personal data is as secure as possible. Organizations that rely on traditional techniques to keep data safe, such as signature-based detection, risk missing more advanced, covert threats.
They need to move to a more proactive security model via threat intelligence, advanced analytics and machine learning. This will help security professionals understand and baseline what “normal” behavior looks like to more accurately and automatically spot zero-day threats, with fewer false positives. Based on data from a large range of sources – security devices, networks, operating systems, databases, apps, endpoints and cloud systems – in combination with human expertise, it can add real value to threat defense.
That’s where managed security from a trusted global provider really comes into its own, allowing you to benefit not only from insights generated from your own data but also those collected from thousands of other organizations around the world. It all adds up to maximum protection: 24/7/365.
There’s always a place for standard threat detection tools. But the emerging IoT world has raised the stakes on data protection, making advanced techniques like these an essential consideration for any security strategy.