In theory, the concept that any physical object can connect to the Internet and communicate with other objects to report real-world information to people via smartphones, tablets and PCs — known as the Internet of Things — has a lot of potential to benefit consumers. However, this concept can also pose dangers for businesses that are not prepared to address the technology's inherent risks.
For instance, a smart refrigerator could notify you if your food has expired. Smart utility meters are already being used in some areas to connect energy providers with building owners, to provide information about energy use. And connected thermostats monitor the temperature of a building and turn on the heat or air conditioning as needed.
These are just a few examples of connected devices. Others include connected security systems, cars, electronic appliances, lights in commercial environments, speaker systems and vending machines. In fact, market research firm IDC predicts that the installed base of the Internet of Things (IoT) will be approximately 212 billion connected devices globally by the end of 2020. [Read related article: Small Business Guide to Cybersecurity]
Based on its recent $3.2 billion purchase of connected-device company Nest Labs, Google seems to see the potential in the IoT. Nest is an automation company that makes Wi-Fi-enabled smart thermostats and smoke alarms.
Smart devices use internet technologies such as Wi-Fi and ZigBee (a wireless communication protocol) — as well as computers, the cloud and even corporate networks — to communicate with one another. In today's Internet-of-Things world, heating systems, smart fridges, smart thermostats and other smart devices are connected to the same corporate networks that run other systems like customer databases and point-of-sales systems — a security disaster waiting to happen.
The risks of Things
For instance, Target suffered a massive data breach last December when one of its HVAC vendors with remote access to the retailer's network was hacked, and it infected other Target systems, such as its payment processing and POS systems. The breach compromised the debit and credit cards of some 70 million Target shoppers, but the giant retailer was able to survive the attack.
An SMB, however, would most likely have to close up shop.
"Overall, there's going to be tremendous benefit to the Internet of Things — it's exciting," said Kevin Haley, director of Symantec Security Response. "We're going to see all these different applications, but as a security professional, I'm seeing that there's a headlong rush into this stuff without anybody really thinking through the consequences or the security aspects of it."
Most of these "things" that connect to the Internet have operating systems that make them run, which means they're accessible — and since they are operating systems, they have vulnerabilities, he said.
"It's an opportunity for the bad guys to hack in," Haley said.
Ironically, a hacker could even access the network of an SMB by hacking into the company's security system. "Now, anybody who has an Internet connection and a little hacking skills can also view your most important stuff," Haley said.
Roel Schouwenberg, principal security researcher at Kaspersky Lab, agreed.
"All these new smart devices come with their own specific, new vulnerabilities, which can give attackers new opportunities," Schouwenberg said. "They may require new technology and approaches to protect [them] properly. But people in the SMB [space] will generally have their hands full covering their existing technology. Adding new, complex devices to the equation is going to make things a lot more difficult."
When it comes to the Internet of Things, SMBs have to worry that hackers could access their networks through their connected devices, Schouwenberg said.
"Any way into — or any device into — the corporate network is one that needs protection," he added. "Attacks have become more targeted, even against smaller companies, so all these scenarios require attention."
Small businesses are particularly vulnerable to security risks because they don't usually have their own dedicated security staffs. If they're lucky, the people they pay to do their computer work happen to understand it and look out for them, said Chester Wisniewski, senior security adviser at Sophos.
The problem is, most of them don't provide that protection, leaving small businesses wide open to attacks.
"To a large degree, the best thing to do is not use all these connected devices, or at least to understand what the risk factor might be," Wisniewski said. "I've seen people who have plants that tweet when they need to be watered. We're hooking everything to the Internet. The safest approach is to do what I do and just don't plug this stuff in."
Part of the security risk stems from these devices' industrial control systems, which are often designed by people who do one thing very well. For instance, a system might be designed by a person who knows a lot about refrigerators or thermostats but designed the software so the appliance or device does all kinds of cool things, Wisniewski said.
"The question is, did they have a security expert involved in these things to understand what they need to do to maintain security? What happens when it's time to patch your refrigerator? How do you know you need to fix your refrigerator?" Wisniewski said. If you put your refrigerator or your smart thermostat on your Wi-Fi network, you're vulnerable because computer code always has flaws, he added.
For small businesses, these smart appliances or devices are usually on the same network that contains customer and credit-card information, he said.
"It's a way for someone to have a foothold inside your network that you can't track down because you never think that it's that thing [like your refrigerator] that's stealing data from your network,” Wisniewski said. "The more things connected to the area where you're conducting business, the worse it is."
Any piece of hardware that can interface with something electronically is at risk for exploitation, said Kaspersky's Schouwenberg.
"They should all be designed with security in mind," he said. "Given the slow life cycle on most of these devices, that's going to be very important. What I hope to see is that for the makers of smart devices, security will become a competitive advantage."
How to protect your business
Schouwenberg said it's near impossible for an SMB to protect all of its assets, so he suggested making a list of the most important assets and then putting the most effort into protecting those.
"Work your way down from there," he said. "Segregate your network. IoT and BYOD (bring your own device) can go hand-in-hand, so you may also want to look at policies in that area. Many new smart devices, like fridges or TVs, have functioned perfectly fine as dumb devices. Unless you have a very valid business case, it's best to not hook them up."
Wisniewski agreed that one way for small businesses to protect themselves is by not using Wi-Fi. "Know what's plugged into your network," he said. "Don't allow your employees to bring their laptops in and plug them into your network that you're processing credit cards on."
Or if you want to have a Wi-Fi network for employees to use during their breaks, run a separate network with just the Wi-Fi, Wisniewski said. "Give them a free Wi-Fi [network], but make sure that free Wi-Fi isn't hooked into the same place where you're doing all the critical stuff," he said.
Symantec's Haley said part of the onus for security should be on the manufacturers of these connected devices.
"I think manufacturers are going to have to figure this out, but unfortunately, it's going to have to take a big incident [for things to change]," he said. "But for now, small businesses have to do a couple things. You have to ask what you have connected to the Internet and what the risk of that is. You need to take the responsibility to [understand] that if you have those security cameras to research and see if there are vulnerabilities, and if there are, patch them. And if you have a commercial router, you have to make sure there are good passwords on there. And if there's a vulnerability, you have to make sure you've updated to the latest patches."
SMBs should also limit the sensitive information they collect, said Jay Radcliffe, security analyst for security firm InGuardians.
"If you're not doing anything with names and addresses, and your system by default is collecting that information, then don't collect it," Radcliffe said. "The tendency for vendors and people supplying the Internet of Things is to have all that stuff turned on. "It's like going to a restaurant and ordering every dish they have, when really all you need is one thing."
Over the past few years, it's become increasingly clear that old and new designs are vulnerable to attacks, Schouwenberg said.
"When you combine that with the more targeted nature of attacks these days, you get a very dangerous mix," he said. "Previously, companies mostly had to worry about having better security than their neighbor or competitor. That's no longer the case."
"Make sure you have your existing infrastructure under control before adding more complexity to it," he advised.