In our homes, internet-enabled refrigerators can tell you which food is past its expiration date. You might already have a smart meter in your home – a dedicated display providing real-time information on how much energy you’re using and how much it’s costing you.
In the world of business, oil companies can now maximize production and efficiency at individual wells using networked sensors that make automatic micro-adjustments to pump stroke rates. Food retailers and restaurants fit their trash containers with connected weight sensors designed to reduce the financial, social and environmental impact of the waste they produce.
These devices represent the Internet of Things (IoT), and it’s bigger than just our laptops, desktops and mobiles. Security equipment, cars, electronic appliances, lights in commercial environments, security cameras, speaker systems and vending machines are now just as much a part of the IoT.
The ability of these devices to send and receive data and to talk to each other will make running our lives and companies easier in many ways we can’t quite conceive of yet.
The IoT is going to grow quickly in the coming decade. The era of connected devices will create significant business opportunities as the IoT network grows in size and capabilities. But the IoT also presents a major threat to businesses in the form of cyberattacks. [Read related article: Small Business Guide to Cybersecurity]
IoT devices are of interest to cyberattackers for four main reasons:
Of all wireless connection options, cellular networks offer the greatest protection because of the digital encryption inherent in their technical infrastructure, but even that’s not impervious.
Most Wi-Fi connections are not secure either. In 2017, Mathy Vanhoef, a computer science professor at Belgium’s KU Leuven, “broke” the WPA2 protocol used by most Wi-Fi systems. In doing so, he discovered that all Wi-Fi connections using the WPA2 protocol are vulnerable to compromise.
Bluetooth, despite being a mature technology, has 16 different security vulnerabilities. RFID, used in logistics and retail, has many of its own issues too. Experts in the IT community have expressed their worries about the security of current Zigbee-powered products.
LPWANs (low-power wide-area networks), almost exclusively used by businesses, transmit data from IoT devices like sensors back to base using wireless, low-bitrate, long-range communications. However, they’re also vulnerable because they use a simpler encryption method to save power. As we cover later in this article, though, all of these flaws can be addressed.
A quarter of consumers don’t protect their IoT devices. Half of corporations wouldn’t know if their IoT devices had even been breached. Cybercriminals know this, and they’ve changed their approach to take advantage.
IoT devices connect to domestic and corporate computer systems. Heating systems, smart fridges, smart thermostats and other smart devices connect to the same corporate networks as customer databases and point-of-sale systems.
But why would a cybercriminal attack a connected fridge? It’s not because they want to control your fridge. They want access to your corporate network, and your fridge will often be less protected than, say, your Wi-Fi router. Once they have access to your corporate network, they’ll try to take control of it.
When they’ve gained control, they can install ransomware to blackmail your company or run cryptocurrency-mining malware, which requires so much computing resource that it renders your network unusable.
They may grant themselves user privileges to access sensitive client information, launch denial-of-service attacks against your website, or interject themselves into email conversations between your company and your clients.
In 2021, software security company McAfee discovered a flaw in an IoT exercise bike manufactured by market leader Peloton. This flaw would have allowed a hacker to steal Peloton’s customer database, including users’ birthdays, genders, workout stats, weights, and ages, all because of a faulty API. Users of a popular range of chastity belts also lost their ability to operate them as they wished and found themselves subject to a $270 demand to regain control.
The lesson? Cyberattackers can gain access to any connected device and exploit it in a number of ways.
The financial and reputational costs of a cyberattack are significant even for large corporations, but for small businesses, a cyberattack could mean closing up shop.
“Overall, there’s going to be tremendous benefits to the Internet of Things – it’s exciting,” said Kevin Haley, director of Symantec Security Response. “We’re going to see all these different applications, but as a security professional, I’m seeing that there’s a headlong rush into this stuff without anybody really thinking through the consequences or the security aspects of it.”
A hacker could even access a small business’s network by hacking into its security system.
“Now, anybody who has an internet connection and some hacking skills can also view your most important stuff,” Haley said.
Roel Schouwenberg, principal security researcher at Kaspersky Lab, agreed. “All these new smart devices come with their own specific, new vulnerabilities, which can give attackers new opportunities. They may require new technology and approaches to protect [them] properly. But people in small businesses will generally have their hands full covering their existing technology. Adding new, complex devices to the equation is going to make things a lot more difficult.”
When it comes to the Internet of Things, small and midsize businesses have to worry that hackers could access their networks through their connected devices.
“Any way into – or any device into – the corporate network is one that needs protection,” Schouwenberg said. “Attacks have become more targeted, even against smaller companies, so all these scenarios require attention.”
Small businesses are particularly vulnerable to security risks because they don’t usually have their own dedicated security staff. If they’re lucky, the people they pay to do their computer work happen to understand it and look out for them, said Chester Wisniewski, senior security advisor at Sophos.
Most of them don’t provide that protection, though, leaving small businesses wide open to attacks.
“To a large degree, the best thing to do is not use all these connected devices, or at least to understand what the risk factor might be,” Wisniewski said. “I’ve seen people who have plants that tweet when they need to be watered. We’re hooking everything to the internet. The safest approach is to do what I do and just don’t plug this stuff in.”
Part of the security risk stems from these devices’ industrial control systems, which are often designed by people who do one thing very well. For instance, a system might be designed by a person who knows a lot about refrigerators or thermostats and designed the software so the appliance or device does all kinds of cool things, Wisniewski said.
“The question is, did they have a security expert involved in these things to understand what they need to do to maintain security? What happens when it’s time to patch your refrigerator? How do you know you need to fix your refrigerator?”
If you put your refrigerator or your smart thermostat on your Wi-Fi network, you’re vulnerable because computer code always has flaws, Wisniewski added. For small businesses, these smart appliances or devices are usually on the same network that contains customer and credit card information.
“It’s a way for someone to have a foothold inside your network that you can’t track down, because you never think that it’s that thing [like your refrigerator] that’s stealing data from your network,” Wisniewski said. “The more things connected to the area where you’re conducting business, the worse it is.”
Any piece of hardware that can interface with something electronically is at risk of exploitation, said Schouwenberg. “They should all be designed with security in mind. Given the slow life cycle on most of these devices, that’s going to be very important. What I hope to see is that for the makers of smart devices, security will become a competitive advantage.”
Every device connecting to your network and the internet is a threat. As a business owner, you should take as much care to secure the RFID chips tracking your stock as you do your company laptop.
There are multiple ways to protect your IoT devices, your network, and the data stored on your network.
Schouwenberg said it’s nearly impossible for a small business to protect all of its assets, so he suggested listing your biggest assets and then putting the most effort into preventing network security threats.
“Work your way down from there,” he said. “Segregate your network. IoT and BYOD (bring your own device) can go hand in hand, so you may also want to look at policies in that area. Many new smart devices, like fridges or TVs, have functioned perfectly fine as dumb devices. Unless you have a very valid business case, it’s best to not hook them up.”
Small businesses should also limit the sensitive information they collect, said Jay Radcliffe, senior security analyst for InGuardians.
“If you’re not doing anything with names and addresses, and your system by default is collecting that information, then don’t collect it. The tendency for vendors and people supplying the Internet of Things is to have all that stuff turned on. It’s like going to a restaurant and ordering every dish they have when really all you need is one thing.”
Wisniewski agreed that one way for small businesses to protect themselves is to not use Wi-Fi.
“Know what’s plugged into your network,” he said. “Don’t allow your employees to bring their laptops in and plug them into your network that you’re processing credit cards on.”
If you want a Wi-Fi network for employees to use during their breaks, run a separate network with just the Wi-Fi, Wisniewski said. “Give them a free Wi-Fi [network], but make sure that free Wi-Fi isn’t hooked into the same place where you’re doing all the critical stuff.”
If a physical connection to an IoT device is not possible and you rely on Wi-Fi, consider switching to a new network that uses the WPA3 protocol and not the now-compromised WPA2. All Wi-Fi devices manufactured since July 1, 2020, must have WPA3 certification, but check with your vendor before purchasing.
Cybersecurity while traveling is another concern. Use 3G, 4G, or 5G when possible, because a favorite trick for cybercriminals to use in open places and hotel lobbies is creating alternative, authentic-looking Wi-Fi networks.
Check every product you want to connect to your network before you purchase it, because even a printer could be your weak security link.
Haley said part of the onus for security should be on the manufacturers of these connected devices.
“I think manufacturers are going to have to figure this out, but unfortunately, it’s going to have to take a big incident [for things to change]. But for now, small businesses have to do a couple of things. You have to ask what you have connected to the internet and what the risk of that is. … [I]f you have those security cameras, research and see if there are vulnerabilities – and if there are, patch them. And if you have a commercial router, you have to make sure there are good passwords on there. And if there’s a vulnerability, you have to make sure you’ve updated to the latest patches.”
Human error is the No. 1 cause of successful cybersecurity attacks within any business. From choosing strong passwords to downloading patches on the day of release, every business needs to take cybersecurity seriously. Teach your staff about the types of attack, how to spot them, and what to do if they think they’ve been targeted.
Clear leadership from the top, as well as staff education and monitoring, is vital to cybersecurity at any company.
Linda Rosencrance contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.