The Internet of Things: Three Key Security Considerations for SMEs

By Ranjit Bhalerao

Here's how small and medium enterprises can safeguard their businesses and their customers in the IoT era.

Hype about the Internet of Things is everywhere, with the majority of the buzz focused on consumer products. But if you dig deeper, you'll also find the IoT playing out in the business world. IoT technology can automate customer checkouts, reduce theft in retail environments, track inventory movements and automate the monitoring of corporate fleets to reduce maintenance costs and decrease vehicle downtime—not just for large corporations, but also for small- and medium-sized enterprises (SMEs).

The various sensing techniques that make up IoT technology—based on beacons, geofences, tags, audio signals and so on—provide SMEs with real-time data regarding customer preferences, behavior and location, thereby allowing business managers to make promotional offers at just the right moment, or to expedite services to deliver a more optimum customer experience.

The Time Is Now for IoT Security
IoT connectivity is growing, and adoption is on the rise. By 2020, approximately 25 million everyday objects will be IoT-enabled or connected to the Internet, according to research firm Gartner.

IoT represents the fusion of automated operational technology (OT) with information technology (IT), in both industrial and commercial settings. For example, industrial systems now share data with cloud-based data-analytics platforms. In commercial applications, heating or cooling systems can be controlled through smartphone-based applications.

Gartner defines OT as the systems and platforms that handle the operation of physical assets across a business, organization or home—such as electricity and energy controls, machinery and so on.

The fusion of IT and OT turns regular IT security threats into physical effects, and allows a deeper reach for an IT hacker—one that goes well beyond the previous boundaries of the IT infrastructure.

Mitigating the Challenge
How can SMEs safeguard their businesses and their customers in the IoT era? Take a look at these three key security concerns in an IoT-enabled SME environment, and the best-practice options for addressing them:

1. Distributed Denial of Service Attacks Will Rise
This malicious attempt to disrupt the operations of a server or a network to make it unavailable to its intended users grew out of a Denial of Service (DoS) attack, which requires just one infected device (known as a bot) and a single Internet connection. In a Distributed Denial of Service (DDoS) attack, multiple devices (together known as a botnet) and an Internet connection are used, meaning the basic technology of the IoT could be exploited to intensify DDoS attacks.

More devices in the network translate into a larger botnet for attackers, which logically increases the risks of bigger and more intense DDoS attacks. The bottom-line: SMEs need to have a DDoS mitigation solution in place that will work 24-7 to immediately detect and mitigate attacks.

2. Hackers Will Find Security Vulnerabilities
Currently, about 70 percent of all IoT devices are vulnerable to hackers. Most IoT devices use unencrypted network access, which makes them vulnerable to attack. Furthermore, users often neglect to change the default access password that the manufacturer assigned to each device, which makes sensitive information easier to compromise, compared to data protected by user-set passwords. The Web interface used to connect these devices to a network may also have multiple security holes, such as cross-site scripting and weak credentials.

Another disturbing fact is that IoT devices often employ mediocre authorization, which fails to vet passwords for their strength (the type and number of characters used) and length. Managing vulnerabilities will pose a major challenge for IT administrators, because they will need to devise a system that can figure out how a vulnerability can be either patched easily or mitigated at the network level. Then they need to learn how to prioritize these processes.

What's needed is a simple yet robust IT security solution that will streamline the way in which SMEs handle these tasks. At the same time, since many SMEs lack the in-house resources or expertise to effectively carry out IT security on a day-to-day basis, they should consider contracting with IT service providers.

3. Identifying the Right Defense for the Right Device Will Be Essential
Security threats in an IoT environment are delivered through multiple attack surfaces: vulnerable devices and components that are trusted in a local network, as well as the Internet connection to that network.

The local network is the most important element at the intersection of OT and IT that can deliver a potent attack from the point of entry to the intended targets within an organization. Hence, the best strategy is to identify all entities that have been granted access to the local network, and limit the potential damage, should these entities become compromised.

As the technology matures, so will the challenges of identifying the proper security measure for each device type and application. To meet all challenges, SMEs need an effective risk-assessment methodology. Risk management begins with a well-thought-out IT security strategy. The selection of a robust security solution should be one of your key initiatives as you begin your IoT journey.

IoT Alternatives
A majority of SMEs currently lack the security infrastructure necessary to safeguard their operations and data from attackers. While the IoT offers the lucrative prospect of profit and productivity, consider this: How will businesses be able to defeat the coming wave of cyber attacks when they are not even prepared for today's IT threats?

It is common knowledge that where the most popular technology goes, cybercriminals follow—and to be effective, hackers need to succeed only once. With an IoT explosion on the horizon, the best advice for SMEs is to start considering your IoT security options now, keeping in mind the potential pitfalls. A comprehensive, well-thought-out approach for IT and OT security, as well as business and customer data protection, cannot be an afterthought.

Ranjit Bhalerao, MSCS, MBA, is responsible for IoT initiatives at Quick Heal Technologies, a global provider of IT security solutions. He has nearly 20 years of senior-level technology industry experience, and his work in the IoT market spans more than three years. Previously, Bhalerao held engineering and product-management positions at Cisco, Airvana and Nevis Networks.