Security vs Innovation: The IoT Dilemma from a Business Perspective
The Internet of Things (IoT) is perhaps the fastest evolving technological development in recent memory. There are already around 22 billion devices in circulation across the world, with an expected increase of an additional 15 billion by 2025. However, as the number of these devices surge, so do the potential attack surfaces for malicious hackers.
In many ways, this adoption of machine-to-machine (M2M) technology has rapidly accelerated the pace at which companies are able to innovate. Yet, the ability to innovate has been knocked off course by the cybersecurity implications of deploying IoT devices.
Previously, the result of a malicious hack translated to data breaches and financial or reputational loss. The IoT has simply exacerbated this problem, because these devices now impact the real world. Security cameras, doorbells, air conditioning units, thermostats, TVs, and sensors just to name a few – the IoT is absolutely everywhere. In just the first 6 months of 2021, there were over 1.5 billion IoT breaches. It’s a huge a problem that is only going to get worse.
The importance of innovation can never be underestimated. Innovation doesn’t just mean adopting the new fancy technology on the market. Real innovation is to adopt principles and practices that help to shape a new technological competitive advantage, while still remaining as secure as possible.
A catch-all approach to cybersecurity doesn’t work anymore. Modern IT and IoT systems are now so technologically advanced that it’s completely unrealistic to apply the same level of security to every asset. A bespoke approach, depending on the nature of the risk, is the method that organisations must now adopt when trusting innovative technologies.
Let's take home security as a simple example:
The lock on your front door serves a purpose because it is designed to lock the door. Window locks provide a similar function in principle. Yet, the bedroom safe containing your life savings has a 6-digit pin lock. You wouldn’t put a 6-digit pin lock on your front door or your window, and similarly you wouldn’t put a window lock on your safe. The same principle applies to security in innovation – a layered approach is necessary. Cybersecurity and innovation go hand-in-hand.
The Innovative Risk
Over the past decade, IoT technologies have moved well away from the pilot stage to driving business value and competitive edge through its vital role in digital transformation. The innovation survey by KPMG demonstrates that IoT is the top technology unlocking massive opportunities. Nearly, 17% of survey respondents stated that IoT is the most significant driver behind digital business transformation.
IoT is accelerating innovation beyond the technological norm. Just this month, the BBC released an article discussing how the global food supply chain may be at risk from malicious hackers because of farming robots. Benjamin Turner, COO at Agrimetrics, said: "Hacking into one tractor, you can upset a farmer and maybe damage their profitability for a season. Hacking into a fleet of tractors, suddenly, you've got the power to affect the yield in whole areas of the country". This is now a very real possibility in the age of IoT.
Now imagine a scenario where a hacked fleet of devices impacts every single industry where they’re deployed. That scenario took place in 2016 and was known as the Mirai botnet. In September of 2016, the authors of the Mirai malware launched a denial-of-service attack on the website of a reputable security expert. Subsequently, the source code of the malware was released to the world, enabling other cybercriminals to replicate the attack.
This resulted in a widespread denial-of-service in multiple industries impacting hundreds of businesses up to the value of $8.6 million.
This is just one example of how multiple IoT devices can be compromised by a single vulnerability. However, the IoT attacks we now see on a regular basis are far less sophisticated because the security embedded into these devices is often inherently problematic. Common IoT Security Problems
1. Weak or Default Passwords
Perhaps the most common security issue with IoT devices is the hard-coded and embedded credentials that allow users to directly access the device. A large number of devices will have default or easy-to-guess credentials e.g. the username could be ‘admin’ and the password could be ‘12345’. It really doesn’t take much effort, even for a low-level beginner hacker, to gain access to these devices in any given IT infrastructure.
2. Lack of Regular Patches and/or Updates
IoT products are developed with innovation, ease of use, and connectivity at the forefront of the development process. Devices may be deemed secure at the point in time they’re developed, but become vulnerable when hackers and security experts find new vulnerabilities. If the version of the software/firmware is not fixed with an update, the IoT devices gradually become more exposed, and therefore more vulnerable, over time.
3. Lack of Data Protection
Although IoT devices are capable of transmitting communication on a M2M basis, the computational power behind many devices lacks the ability to securely store data. For example, in 2017, security experts from Darktrace revealed that they had discovered an attack on an unnamed casino via a thermostat attached to a fish tank. The attackers were then able to gain access to the network and eventually exploit around 10GB of data. It’s a very simple process for sophisticated hackers.
So, while the rapid adoption of IoT technology is enabling businesses to innovate on an unprecedented scale, it is also presenting unprecedented cybersecurity risk. Organisations are now having to balance gaining a competitive edge through innovation with the security implications of achieving such innovation. Hence, the IoT dilemma is a complex conundrum that will continue to be an issue for CISOs as the number of devices surge.