For small and mid-sized businesses (SMBs), managing security risks has always been a challenge. But as SMBs ramp up their use of Internet of Things (IoT) devices, the risks are rising. With this current threat landscape, value added resellers (VARs) and managed service providers (MSPs) have the opportunity to provide the security SMBs need.
A number of IT consulting firms and experts have been raising the alarm about IoT security risks for some time. In July of 2016, many security experts warned that a huge security breach traced back to an unsecured IoT device is likely to happen within two years. Just a few months later, a massive cybersecurity attack that used IoT devices — specifically, Internet-enabled cameras — as a platform for a Distributed Denial of Service (DDoS) attack affected a number of major websites, including Twitter, Netflix, Pinterest and others.
IT research firm Forrester predicted there will be a large-scale IoT security breach in 2017, and recent attacks specifically targeting IoT devices seem to confirm the imminence of this threat. This isn't particularly surprising, as 63 percent of enterprises deploy new technologies such a as IoT devices prior to having appropriate levels of data security in place.
Enterprises of all sizes are subject to IoT security risks, but SMBs are particularly vulnerable because they typically have limited budgets and staff. Moreover, staffers often have limited on-hand expertise to secure vulnerable IoT devices, networks and systems. So, what's the solution?
Now more than ever, SMBs should consider turning to trusted technology advisors for help. To that end, VARs and MSPs need to invest in and offer security solutions that meet SMBs’ specific needs. That means staying up to speed on the latest network risks, especially those introduced by IoT devices.
IoT security threats lurk in the growing number and variety of devices that are network-connected. This includes wearables such as the Fitbit and Apple watches, mobile devices such as smartphones and tablets, and other devices such as televisions, refrigerators, cameras, meters and many other machines and devices that leverage IoT technologies. All of these connect to network resources in differing ways, and many are interconnected, which further amplifies the complexity and possible risk of exposure.
The Device Problem
With more devices connected, hackers have more conduits for accessing confidential information and launching attacks. Another arguably more dangerous aspect of IoT security is that many of the devices are constructed with security as an afterthought. They often lack key vital security updates, which means they aren't dynamically protecting the network against the latest DDoS or phishing attacks.
This is particularly vexing for SMBs who want improved security but typically don’t have the time or up-to-date technical knowledge to review all of the possible threats and make smart purchasing or implementation choices. In fact, the October 2016 DDoS attack that got its start through IoT-enabled cameras happened because hackers were able to exploit their manufacturer-set passwords that hadn't been reset by users.
Outlining the IoT Risks
SMBs that adopt various smart devices such as refrigerators or door locks could unknowingly give hackers access to personal or credit card information. The breaching of locks or key panels could allow hackers to physically enter company buildings and steal both real and virtual property. Many IoT devices have very basic software that is simply not built for updates. Some devices are updated frequently, but even then it’s risky to integrate them into conventional software or hardware protection solutions, as they bring challenges for IT in the form of new network protocols and unfamiliar data sets.
Here are some of the core security risks of IoT and personal devices:
- Security flaws often found in firmware that should be fixed with updates. Sometimes the device might not receive these updates, or the company might not take the necessary steps to fix security holes.
- Unsupported individual products or complete product lines. Updates won’t come if there’s no company behind them, so unsecured/outdated products offer a significant risk. SMBs should exercise extreme caution when choosing IoT vendors that are at risk of failure.
- Wearables are a security risk for a number of reasons. These devices hold some information locally without any type of password/login protection, and are not encrypted when sending data between the device and the network. Consider a firm that offers fitness trackers to its employees and encourages them to check their fitness progress during work. The computers and network might be secure, but the wearables provide a tempting target.
The VAR Opportunity
The pressing need for improved SMB cybersecurity offers a significant opportunity for VARs. They can provide customers with network security risk assessments that inventory all of the IoT devices, network connections and existing security and antivirus software an SMB currently has. From there, the VAR can help ascertain possible threats and show customers the location of security weaknesses.
VARs can then suggest the right gateway solutions that will provide continuous visibility into all of the IoT and other devices that are connecting to the network. Such solutions should have the capability to recognize all of this activity, and allows the SMB to control bi-directional traffic to best suit their needs. In this scenario, the SMB holds the power.
Dirk Morris has over seven years of technical experience and proven leadership managing development teams to successful, on-time launches in the network security field. As Chief Architect at Akheron Technologies, Dirk invented the patent-pending High Bandwidth Transparent Vectoring used in the company’s proxy firewall engine. He has also held positions as lead engineer at VerticalNet and H.L.L.C. Consulting, developing Java-based distributed monitor and intrusion detection systems. Prior to that, Dirk worked on survivability simulations at CERT/CC (Computer Emergency Response Team), the renowned, federally-funded Center for Internet security operated by Carnegie Mellon University. Dirk earned a Bachelor’s degree in Computer Science with a minor in Mathematics from Carnegie Mellon University.