Cybersecurity And Your Smart Devices’ Vulnerabilities
The Internet of Things has the potential to simplify lives with the high degree of automation, integration and personalization it introduces, yet those very characteristics, which make it so appealing and cause exponential growth among innovative firms, also present significant new vulnerabilities to cyberattack.
We spoke with Baker Tilly cybersecurity expert Mike Cullen (below) about some potential threats and proposed remedies. "The big difference between IoT and traditional connected systems is IoT devices have limited cybersecurity functionality," he said.
A smart lock on the front door has far fewer options and configurations than an iPhone. Because companies strive to make IoT systems inexpensive and easy to install, they lack the kind of protections (such as antivirus software or layers of encryption) designed to keep data secure.
"By connecting IoT devices to the internet you are exposing a potentially unprotected device to the outside world," Cullen said.
Would someone want to take advantage of IoT devices and could they be hacked? They could, and they have.
A few months ago, a DDoS (distributed denial of service) attack disrupted services such as Twitter after hackers overwhelmed networks with traffic by exploiting IoT cybersecurity weaknesses, Cullen said. The devices didn’t necessarily permit hackers to spy on people through cameras, or listen to conversation through mics, as many often assume, but instead turned those IoT devices into beacons that wreaked havoc on networks.
That raises the question of potential risks from a compromised driverless car or smart lock. The former could become a real concern as car technology advances, Cullen said, but he said hacking a smart lock was likely harder than just breaking a window, prying the door with a crowbar or getting a copy of a key.
Cullen said people should immediately check the default user name and password on their IoT devices and change them (usually easy-to-guess words such as “admin” or “password” are used by vendors). When product designers are forced to choose between security and usability, usability often wins out, he said.
We asked him which individuals or types of organizations could be prime targets. Cullen said companies that store inventory in warehouses with smart locks are prone to savvy criminals breaking in, stealing and reselling merchandise. He also cautioned financial institutions with sensitive investor, creditor and borrower information, and REITs or real estate private equity firms with similar sensitive data.
How will cybersecurity measures adapt? “The FTC has financial rewards for people who come up with innovative ways to secure IoT devices,” Cullen said. As companies struggle to find a robust, comprehensive barrier, some wonder whether federal regulation is more appropriate than self-policing due to serious mounting threats.
“We see companies perform a cost-benefit analysis and assess their risk tolerance before implementing devices,” Cullen said. “On a consumer level, though, this is not always realistic or practiced, since consumers don’t often think in terms of risk and cost benefit.”
Cullen said cyber-oriented insurance is gaining traction, and while most organizations have some sort of protection, coverage varies tremendously and there’s no standard coverage.
A company thus needs to work closely with a broker to understand its needs and to confirm if the policy addresses all of its needs, or at least needs it can afford to protect. An online retailer that stores credit card information needs very different coverage than a REIT that requires indemnification from a situation where investor information is compromised.
To learn more about this Bisnow content sponsor, click here.