Cybersecurity Must Come To The Fore In Building IoT Strategies
Organizations of all sizes can now introduce building digitization through IoT solutions at a level that was previously impossible, from low-cost sensors to smart equipment and internet-connected BMSs. This has unlocked many exciting possibilities, empowering firms to improve operational efficiencies, refine employee experience and enhance business outcomes. However, this speed of IoT device uptake has not been matched by the evolution of corporate cybersecurity risk management programs. According to research by the Ponemon Institute, only 32% of firms are evaluating IoT security risks as part of the onboarding process for third parties and only 54% are running penetration testing on their IoT devices.
Every IoT device introduces a new vulnerability in an organization’s network through which a cyberattack could occur, potentially damaging the business. For example, in October 2016, computers on the Dyn network were infected by Mirai malware, which scanned for vulnerable IoT devices and infiltrated them. The attack led to a major internet outage across the US, with many major services, such as Amazon and Twitter, affected. One North American casino saw hackers tap into an IoT-enabled fish tank to extract sensitive user data. IoT cyberattacks are very versatile and firms must urgently update their IoT security protocols to avoid similar breaches.
Organizations need to employ a multi-dimensional strategy for strong IoT security. With existing solutions, businesses should perform a risk assessment to understand vulnerabilities, using standardized security frameworks for evaluation and identification of areas for improvement. Any new IoT implementations must also adhere to these security frameworks, such as the NIST Cybersecurity Framework, ISO27K or the CSA Cloud Controls Matrix. Firms can also employ zero trust strategies, where any interaction with a device or database requires a sign-in, and the use of decoys, which can mimic legitimate edge devices and help identify potentially malicious attempts to access a network. Firms should also employ dedicated in-house security experts or consultants, who are regularly trained to stay up-to-date with changing security threats and approaches. These individuals can handle the network’s security and the people within it, including performing tasks such as ensuring passwords are regularly changed and updating IoT devices to the latest security standards.
Impetus around IoT security is growing in the market. In December 2020, the IoT Cybersecurity Improvement Act was passed, dictating that all IoT devices used by US government agencies need to comply with NIST cybersecurity standards. This regulation is bringing new visibility to the issue, as IoT manufacturers are forced to improve their device cybersecurity. In March 2021, cybersecurity asset management firm Axonius, which covers IoT devices, raised $100 million in funding to support their development.
To learn more about some of the emerging trends in the building IoT space, please see 10 Predictions For Smart Building Technology In 2021 And Beyond.