Wednesday, 15 May 2024

Is the IoT leaving your business exposed?

We increasingly live in a world of connected devices, but what does IoT growth mean for your business? We look at the challenges for IT and cyber security experts.

We increasingly live in a world of connected devices – from smart doorbells, through environmental sensors in industrial buildings, through to footfall tracking devices in public spaces, the world is increasingly full of electronic devices pushing data to the cloud. 


Statista figures indicate that, as of 2023, there are already 15.4 billion connected devices worldwide. That’s up from 8.6 billion connected devices in 2019. And this growth is expected to continue. Statista estimates there will be 29.4 billion connected devices by 2030.


What does IoT growth mean for your business?

The proliferation of connected Internet of Things (IoT) devices poses a challenge for IT and cyber security experts. As these devices are added to home and business networks, they become new entry points that – more often than not – are vulnerable to cyber-attack.

Cyber-security business Cloudflare explains, “IoT security can be particularly challenging because many IoT devices are not built with strong security in place – typically, the manufacturer's focus is on features and usability, rather than security, so that the devices can get to market quickly.”

However, Cloudflare explains that attackers try to remotely compromise IoT devices using a variety of methods, from credential theft to vulnerability exploits. And once the attackers control an IoT device “they can use it to steal data, conduct distributed denial-of-service (DDoS) attacks, or attempt to compromise the rest of the connected network”.


How can businesses prevent their IoT devices being compromised?

IoT devices must be protected, just as any other potential entry point to your network would be protected. This means:

•    Running regular network audits to gain visibility over any new devices being added to the network

•    Changing factory security settings (e.g. changing factory-set passwords) for all IoT devices 

•    Turning off unnecessary features (e.g. Bluetooth connectivity)

•    Ensure firmware and software is kept patched and up to date (and regularly check for updates / notifications about known vulnerabilities)

•    Ensure device authentication is established before devices on the network can communicate with each other (e.g. using TLS protocol)

•    Use a VPN to connect to the device if accessing it remotely

•    Add DNS filtering to the network so any connected IoT devices cannot reach out to places on the Internet they should not (e.g. an attacker's domain).

While it is important to follow these essential cyber-security measures, a new initiative in the USA has been created under the Biden administration specifically to address the security concerns resulting from the proliferation of connected IoT devices. It has been developed to help consumers, organisations and businesses make better choices when purchasing IoT devices.


The new FCC Cyber Trust Mark

The Cyber Trust Mark - a voluntary programme approved by the Federal Communications Commission (FCC) in March 2024 - is aimed at boosting awareness and confidence in the cyber security of IoT devices for US consumers. This aims to set a standard for IoT security, with the goal of global recognition.

Manufacturers can submit IoT devices for third-party testing to earn the Cyber Trust Mark logo if they meet security standards. The FCC Cyber Trust Mark will include a scannable QR code which links to details of the device’s security features, including information about the devices’ cyber security status.

The mark aims to incentivise manufacturers to meet higher cyber-security standards, whilst making it easier for consumers and businesses to keep devices up to date and secure against cyber-attacks. It's hoped the Cyber Trust Mark will help consumers to differentiate trustworthy IoT products from untrustworthy products, more manufacturers will use it, and more consumers will demand products that bear the Cyber Trust Mark shield.

The FCC is still considering whether or not to include information about whether the software or firmware is developed in a nation deemed a security risk by the USA. If it chooses to do so, this may have significant impact for IoT devices manufactured in China.


Is the IoT leaving your business exposed?

The IoT does pose a risk for consumers and businesses alike. As any new device is added to your network, it adds an additional risk. Because of the nature of IoT devices, for which cyber-security is often an afterthought, the need to manage their connection to the network becomes greater.

The FCC Cyber Trust Mark is a step in the right direction. Providing more information about how to protect your devices from cyber-attack will always be useful. However, it is likely that the scheme’s impact will be most useful in changing attitudes about IoT connectivity. We hope it will raise awareness about the potential risks of adding these devices to your home and business networks.


What now?

For more advice and information about cyber-security topics, including planning IoT projects and securing IoT devices, please reach out to the Grant McGregor team.

Call us: 0808 164 4142

Message us:

Further reading

You can find additional information about cyber security and the IoT on our blog:

•    How long would it take your organisation to detect a data breach?

•    Server 2012 is end of life: Act now!

•    Do your backups include this important information?

•    How secure are your network peripherals?

•    What is a watering hole attack? And how can you protect against it?

•    Cyber Crime on the rise: how can you protect your organisation from it?

•    Is your organisation doing enough on supply chain security?

•    How to minimise the risk from phishing

•    AI’s new role in cyber security