Cybersecurity for IoT: Where is the silver bullet?
For everybody using cloud-based services, security is a key concern. Each week we learn of another organization that has been successfully hacked, with sensitive corporate or personal data shared with malicious 3rd-parties or leaked to the Dark Web. According to CrowdStrike’s 2024 Global Threat Report, the past year saw a 75% increase in total cloud intrusions.
So how can both corporations and individuals best protect themselves? Well, the short answer is that there is no silver bullet and that at some point it is likely you will indeed be hacked. No one tool or process is good enough to stop all cybercriminals, and the structure of cyberattacks is constantly evolving.
The key items to consider are:
- How can our cybersecurity provide defence in depth to minimize the likelihood of a successful attack?
- How can we detect a hack as quickly as possible?
- How do we close all possible avenues of compromise once a threat is detected?
- What steps do we need to take in response to a cyberattack?
Part of the problem, of course, is that whilst we all want to be secure, we also enjoy the convenience of being able to log onto multiple web sites with a touch of a button. Whilst automatically generated complex passwords and password vaults have helped with network-based attacks, if a hacker gets access to our machine via an email scam or the hardware itself, these are negated. We want the system to take care of the security, and that becomes exponentially more difficult if we do not follow secure processes that minimize the “attack vector” to keep our data safe, whether we are at work or during our personal time.
We will be writing a regular monthly blog looking at recent security events, their impact on IoT, and discussing how we can help to mitigate and prevent security exposure. The rest of this first post will focus on the importance of creating multiple layers of security to best prevent successful cyberattacks. With all the different ways hackers can access sensitive systems, multiple types of solutions need to be included at the user and administrative levels.
There are many different approaches and standards to layered security and nearly all of these are aimed at the IT profession and/or organization. Our next few blog entries will look at the layers from a user’s perspective.
- We shall start with looking at the physical security: what do we need to do to secure the hardware as the first line of defense?
- Secondly, we shall look at authentication and authorization: what can we do to help keep access to our software as secure as possible?
- Then we will discuss the applications themselves and how we can ensure they are well behaved and add to the overall security posture of the environment they run in. Our next installment will look at applications being run on the Edge and the following one will look at applications run in the cloud.
- Then we will pivot our focus to IoT specific concerns, looking at devices and best practices on connectivity and management.
- We will wrap up this series by bringing everything together to show how the constant flow of data, connections, and changing environment require our constant vigilance.
Let’s start with physical security. This is the most ignored and least talked about aspect of cybersecurity; however, if the device is compromised, all the other layers of security become meaningless. A recent article in The Telegraph reports that lost laptops pose a bigger financial threat than ransomware hackers.
Devices come in many forms. At a corporate level, any on-prem servers need to be kept in locked rooms with limited and appropriate access. At the individual level, we are responsible for our smartphones, tablets, laptops, and computers, all of which can provide a gateway to corporate assets and data, and many of which are carried with us nearly all the time. What can we do to help ensure these devices are not compromised? Part of the answer must include the passwords we store in common web browsers or applications and that are synchronized across devices so we can sign in quickly. If somebody gets hold of just one of our devices, they will have access to all our accounts. So here are some simple steps we can all take to protect our devices.
Separate your work and personal devices
Sounds obvious, but with dual SIM phones and BYOD at work, it is easy to blur the lines between work and personal lives. However, if somebody suggested you take your work computer to a music festival or a nightclub, you would think they had lost their marbles. But that is precisely what you are doing if you use the same phone for work and personal purposes. The safest route is to leave your work phone at home when you are on personal time; if that is not possible, use a separate phone.
This does of course come at the cost of flexibility—you must carry 2 phones when you are working.
Consider a phone lanyard case
Most of us now have Apple or Google wallet, so all you need for a night out with your friends is the phone and your house keys. It is easy, when you are out and enjoying yourself, to take out your phone, set it down, and forget about it for a few minutes. A phone lanyard case is a very simple way of ensuring you do not lose your phone.
Use a privacy guard in public settings
When you are using a work laptop in a public place, consider using a privacy guard. They make your laptop look cool as they display a gold screen to anybody not directly in front of the screen. The security benefit is precisely that nobody can see what you are working on from a distance or an angle.
Phase out old devices safely and securely
Think about how you dispose of your old devices. Most work devices are returned to the IT department where they are reconfigured and either disposed of or re-purposed. Your home device might just languish in a drawer gathering dust until you throw it out. In all cases, you should always sanitize the device so that no data remains on it or can be recovered.
To summarize, taking some simple but effective steps for physical device security is the first line of defense for both your personal and work data.
If, after taking these precautions, you lose your device, make sure you know how to wipe it. The major manufacturers have a “lost mode” which allows you to log on to your account and block or, in extremes, wipe the data from your device. You should then re-set all your passwords. We will talk more about that in our next blog. If you have your corporate device stolen, contact your Security Department as soon as possible; they will tell you precisely what you need to do.
Stay safe.