IoT attacks can come in many ways. Plenty of businesses sell products and services via the internet or market them there. Others interact with their customers, suppliers and partners via email and other digital mechanisms, and most make and receive payments via Internet banking and other payment portals.
Our businesses now exist within a complex mesh of data and applications services, and we are all increasingly sensitive to the availability of those services.
Threats to the availability of internet services, such as DDoS (Distributed Denial of Service) attacks, are nothing new but in 2016 cyber criminals took these to another level with IoT attacks by weaponising devices.
DDoS attacks attempt to deny access to a network, service or application by bombarding it with spurious traffic or requests so that genuine users can no longer be served, sometimes resulting in a significant business impact.
So, how has IoT changed the game? We have all heard of botnets, and we think of them as networks of compromised computers around the world. Well now we can broaden this image to include CCTV cameras and other connected devices. With an estimated six billion IoT devices already out there are plenty of IoT attacks to exploit – and they are.
Risky business of IoT attacks
Weaponisation is the key problem when it comes to cyber threats like DDoS and ransomware. The days when only savvy attackers were targeting large organisations are gone.
Nowadays the cyber crime as a service sub-economy means that pretty much anyone can launch IoT attacks or otherwise easily and cheaply (some services even offer a “free trial”). This means that anyone can be targeted and the costs can be considerable financially and from a reputation perspective.
The risks to SMEs are significant as they don’t tend to invest in the latest security technologies, and don’t have in-house teams of security experts. But there are ways in which SMEs can better protect themselves from the cyber threats and IoT attacks that are out there today.
Mitigating the threat of IoT attacks in a small business
There are four key actions small businesses can take to protect from connected IoT attacks:
(1) Implement good security hygiene across the business
There is lots of freely available advisory information out there which covers things such as using strong passwords, updating and patching systems, isolating guest networks and limiting access to key infrastructure. Implementing this advice may seem like common sense, but many don’t realise the importance of it until it is too late.
(2) Work with Managed Service Security Providers (MSSPs)
MSSPs allows small businesses to outsource network security to alleviate the pressure of managing the risk entirely within the business. MSSPs provide small businesses with cost-effective access to both the latest technologies and skilled people, so that they can ensure the right defences are in place 24/7.
(3) Educate employees
Small businesses should educate and train staff on the risks that are out there, for example through online courses to help in the identification of suspicious links and communications. Employees should be made aware that it is everyone’s responsibility to protect business intellectual property and customer data – not just those in IT – and that the impact of a breach or attack would be felt across the business.
(4) Avoid being a part of the problem
Businesses should ensure any deployed IoT devices are updated with the latest software, that default passwords are changed, that the devices are isolated form the Internet (where possible) and that any unneeded services are disabled.
In the future, IoT devices will hopefully be engineered with greater security in mind, but for now we have to limit the capability available to hackers as best we can.
Future of IoT devices
IoT devices have been actively used by attackers since 2010, but this really became mainstream in 2016. We are, unfortunately, just at the beginning of the issues we will face. Thus far we have IoT attacks through devices for DDoS and click-fraud, but it is highly likely we’ll start to see extortion and other forms of cyber crime leveraging these devices.
SMEs should not be complacent when it comes to cyber security given their increasing dependence on Internet services. Implementing good cyber hygiene, educating employees on the risk and working with MSSPs are important steps when protecting a business in the world of today.
Darren Anstee is chief security technologist at Arbor Networks