5-Tips-IOT-Internet-of-Things

Top 5 Threats IoT Devices Pose to Data Protection & Privacy

by Security

Gartner Inc. predicted that by 2023, CIOs would be responsible for over three times the endpoints they were responsible for in 2018 due to the rapid evolution of IoT trends and technologies. With billions of physical devices worldwide connected to the internet today, this prediction is on its way to coming true. However, the rapid evolution of IoT technology has proven to be a double-edged sword from a cybersecurity and compliance standpoint.

IoT devices produce immense volumes of various types of data that are stored, managed and shared within an organization’s IT infrastructure. Hence, they add to the risk landscape in more ways than one with respect to cybersecurity, third-party risk and compliance with data protection regulations.

Don’t let anyone tell you that securing IoT devices is only about securing the device itself. It’s also about securing the access that an IoT device provides. Besides looking at the device’s built-in vulnerabilities, you must also consider where and how IoT devices connect to your network, how they process and store data, and their user interface.

Over the course of this blog, we’ll tell you how IoT devices can be exploited, the top 5 threats they pose to data protection and privacy, and why you must secure them from a compliance point of view. Please pay close attention so you can protect your business from security disasters and avoid penalties and lawsuits that could arise from non-compliance with necessary regulations.
How IoT Devices Can Be Exploited
There are primarily three attack vectors through which IoT devices can be compromised:

• The devices themselves: Often, cybercriminals exploit IoT device vulnerabilities that exist in its memory, firmware, physical interface, web interface and network services. Additionally, other aspects such as unsecure default settings, outdated components and unsecure update mechanisms are also exploited.
• Communication channels: An IoT device could also be compromised by attacking the channels used to connect it with another IoT device. Security issues with the protocols used in IoT systems can put the entire network at risk, making IoT systems susceptible to network attacks like denial of service (DoS) and spoofing.
• Applications and software: Nefarious cybercriminals can exploit vulnerabilities in web applications and related software for IoT devices. For example, web applications can be targeted to steal user credentials or push malware.

Five Major Threats to Watch Out for
Having understood how IoT devices can be exploited to cause harm to your business, let’s now look at five major threats these devices pose to data protection and privacy. If you don’t take the necessary measures to mitigate these threats and maintain documented evidence of it, you can be penalized for non-compliance with at least one data protection regulation at some point.

  1. Abundant and Unauthorized Data Collection
    IoT sensors and devices collect enormous amounts of very specific data about the environment they are deployed in as well as the users. They even store and share sensitive data without one’s knowledge or explicit permission. Therefore, as per the compliance regulations applicable to your business or industry, this data must be secured the same way any other sensitive data in your business’ network would. For example, if you collect medical data in the U.S. through a set of IoT devices, you must safeguard it as per HIPAA regulations.

  2. A Backdoor Entry for Cybercriminals
    All it takes for a cybercriminal to ransack your network is a single IoT device that’s not fully secured. Even a malicious insider could carry out a full-fledged cyberattack on your business using an unsecure IoT device. Leaving these threats unchecked is unacceptable under any data protection regulation and hence warrants your immediate attention.
    • About 60% of IoT devices are vulnerable to medium- or high-severity attacks.1
    • Over 95% of all IoT device traffic is unencrypted.2
    • About 72% of organizations experienced an increase in endpoint and IoT security incidents last year and 56% of organizations expect to be compromised via an endpoint or IoT-originated attack within the next 12 months.

  3. A Single Security Policy Doesn’t Cut It
    IoT ecosystems are complex and add to the complexity of your IT environment as well. Given their unique nature, it’s neither realistic nor currently achievable to implement a “one size fits all” security policy for all IoT devices. The unprecedented surge in remote work has only amplified this challenge further.
    For example, while many businesses do not have personal devices in the office during the COVID-19 pandemic, employees have them at their homes (their new offices), which means business-related work and data could be accessed by exploiting such devices.
    The Ponemon Institute’s 2021 Data Exposure Report stated that home networks are 71% less secure than office networks. Should your business fail to mitigate this threat, it could result in severe consequences when the compliance auditor comes knocking.

    4. Inability to Train Everyone on IoT Security
    Security awareness training is a powerful way to curtail the likelihood and impact of cyberattacks. However, the lack of broad universal knowledge and awareness about IoT at the user level poses a potent threat to the protection of IoT data. It is an enormous challenge to train everyone on IoT functionality and the risks it brings to the table.

    Compliance regulations worldwide consider security awareness training a major piece of the data protection puzzle, which, if missing, could ensure a compliance audit doesn’t go in your business’ favor.

    5.Threat to Privacy
    It’s undeniable that IoT devices pose a direct threat to the privacy of both your clients and even their customers. With every bit of data they provide to your business through an IoT device, they surrender a bit of their privacy. Therefore, it’s your responsibility to protect their privacy and data. Failing to do so could cost you dearly. For example, as per the EU’s GDPR, every user must have the “right to be forgotten,” and if your business fails to provide this, you will be penalized for non-compliance.


IoT Risks and Compliance
While there are no universal regulatory requirements or “standards” for the security of IoT devices, please do not assume that risks to IoT data and devices aren’t on the radar of regulators worldwide. This isn’t just a matter of cybersecurity but compliance as well. While investing in the right security solutions will enhance your business’ cybersecurity posture against IoT-related risks, you certainly need assistance in tackling this challenge from a compliance point of view.

Using our compliance process automation platform, we can help you detect IoT risks in regular compliance risk assessments, undertake remediation measures and produce automatically generated documented evidence of compliance. To top it all off, you will be able to prevent IoT-related risks associated with compliance standards such as HIPAA, GDPR, Essential Eight and NIST CSF, as well as your cyber insurance policy. All you need to do is send us an email and we can help you get started.

protecting-pword

Is It Time to Ditch the Passwords for More Secure Passkeys?

by ComplianceSecurity

Passwords are the most used method of authentication, but they are also one of the weakest. Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks. The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way. 61% of all data breaches involve stolen or hacked login credentials. In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

What is Passkey Authentication?

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in. You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password. This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification. The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

Advantages of Using Passkeys Instead of Passwords

More Secure

One advantage of passkeys is that they are more secure than passwords. Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data. Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location. This makes it much harder for hackers to gain access to your accounts.

More Convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming. Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds. Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password.

Phishing-Resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account. They click on a link that takes them to a disguised login page created to steal their username and password. When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

Are There Any Disadvantages to Using Passkeys?

Passkeys are definitely looking like the future of authentication technology. But there are some issues that you may run into when adopting them right now.

Passkeys Aren’t Yet Widely Adopted

One of the main disadvantages is that passkeys are not yet widely adopted. Many websites and cloud services still rely on passwords. They don’t have passkey capability yet. This means that users may have to continue using passwords for some accounts. At least until passkeys become more widely adopted. It could be slightly awkward to use passkeys for some accounts and passwords for others.

Passkeys Need Extra Hardware & Software

One thing about passwords is that they’re free and easy to use. You simply make them up as you sign up for a site. Passkeys need extra hardware and software to generate and validate the codes. This can be costly for businesses to put in place at first. But there is potential savings from improved security and user experience. These benefits can outweigh the cost of passkeys.

Prepare Now for the Future of Authentication

Passkeys are a more secure and convenient alternative to passwords. They are more difficult to hack, and they provide a more convenient way of logging into your accounts. But passkeys are not yet widely adopted. Additionally, businesses may need to budget for implementation. Despite these challenges, passkeys represent a promising solution. Specifically, to the problem of weak passwords. They have the potential to improve cybersecurity. As well as boost productivity for businesses and individuals alike.

Need Help Improving Your Identity & Account Security?

Take advantage of the new passkey authentication by exploring it now. It’s the perfect time to ease in and begin putting it in place for your organization. Give us a call today to schedule a consultation. Article used with permission from The Technology Press.

Compliance-Governance

Required Data Security Controls for Compliance

by Compliance

No data protection regulation anywhere in the world expects your business to have a 100 percent perfect plan for fighting cybersecurity threats. However, your business is definitely expected to install all the necessary checks and balances that make up a resilient defense. These checks and balances are referred to as data security controls or measures.

Should your business ever undergo a security breach and you fail to produce satisfactory evidence about undertaking preventive data security measures, you could find yourself in serious trouble. Two of the most common consequences you could face would be your cyber insurance provider’s refusal to pay for damages and a regulatory body initiating punitive action against your business.

This short read will introduce you to the types of data security measures, the ones you must undertake immediately and why the time to act is now.

Understanding Data Security Controls
Data security controls are aimed towards reducing threats to sensitive and mission-critical data by following data security best practices and enforcing robust policies. These controls or measures can be largely divided into four categories:

• Operational Controls: Procedures, rules and other mechanisms aimed at protecting systems and applications.
• Technical Controls: Safeguards installed within the information systems to enforce data security policies. For example, the act of authenticating every login with two-factor or multifactor authentication.
• Administrative Controls: Policies and procedures ensuring that data security standards are followed. For example, a policy stating how the data will ideally be shared with third parties and the penalties for any violations.
• Architectural Controls: Steps focused on how an organization’s technology assets, such as endpoints, devices and storages, are connected to each other. For example, vulnerability assessments to detect weak spots in a network’s architecture.

Several compliance regulations highlight the importance of such controls and often list down the kind of measures a business must undertake to demonstrate full compliance. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) lists down the administrative, physical and technical safeguards needed to secure the integrity of Protected Health Information (PHI). Any business mandated to comply with HIPAA, that fails to produce documented evidence of the existence of these safeguards, faces punitive action for non-compliance.

If you have kept the idea of implementing these measures on the backburner until now, it’s high time you reconsider your stance and attend to it proactively. Not doing so can prove to be very costly, especially in today’s threat landscape, which has only worsened tenfold due to the pandemic.

Remote Work = More Security Concerns = Greater Need for Compliance
Any business knows how challenging it is to protect remote devices (and users) from looming security threats. The year 2020 saw this challenge quadruple, with remote work increasing at an unprecedented rate. A Gartner report stated that 88 percent of businesses worldwide mandated or encouraged all their employees to work remotely from their homes once COVID-19 was declared a pandemic.

It is important to remember that compliance requirements apply to remote devices on your business’ network as well. And with the rise in the number of remote devices, it is vital to chalk out a meticulous strategy to implement suitable data security measures to make your business resilient to cybersecurity threats. If you’re wondering what these measures are, keep reading.

Data Security Controls You Must Implement
While it’s understandable that implementing certain policies and procedures can be a long and tiring effort, listed below are some of the data security measures and best practices you can start with:

Asset Discovery and Management: Ensuring every single information asset and device on your network is accounted for and managed.
Identity and Access Management (IAM): Efforts undertaken to define, maintain and authenticate access to your network, especially from remote users, to avoid any unauthorized access.
Data Discovery and Classification: Discovering and documenting the type of data your business collects, where it is stored and how it is processed, to determine a risk matrix.
Ongoing Risk Management: The act of gauging the risks your business data faces on a regular basis, including third-party risks, and carrying out remediation efforts proactively.
Protection Against Threats: Deploying the necessary technology to build a solid defense against various threats.
Business Continuity and Disaster Recovery: Acquiring robust tools to back up and recover data following an unsavory incident and testing them regularly.
Incident Response Plan (IRP): A comprehensive plan to identify a security incident, contain it, notify your clients/customers about it, recover from it and document learnings from it.

You don’t have to take on this journey alone. Leveraging expertise and experience can help you carry out the process both efficiently and effectively. Drop us a ‘hello’ over an email and we can start the process.

Steps-to-Compliance

First Step to Compliance: A Thorough and Accurate Risk Assessment

by Compliance

Complying with data privacy and protection regulations wouldn’t give several business owners sleepless nights if it only meant installing a predefined list of security solutions.

Compliance goes way beyond this and for good reason. In principle, regulators, local or international, want businesses to:

• assess the type of data they store and manage
• gauge the potential risks the data is exposed to
• list down the remediation efforts needed to mitigate the risks
• undertake necessary remediation efforts regularly
• and most importantly, document every single step of this seemingly arduous process as evidence

Each of the above steps are mandatory and non-negotiable. A closer look will tell you that installing a list of expensive security solutions comes only after the first three steps in the process have been followed. Skipping past these initial steps and acting merely on presumptuous knowledge is tantamount to leaving your business’ future to sheer chance. It’s anyone’s guess what that would lead to.

That’s why we’re going to explain to you why a thorough and accurate risk assessment is truly the first step towards achieving compliance. Moreover, when repeated regularly, it can help you demonstrate continuous compliance while keeping cyberthreats at bay.

Security Risk Assessments Unearth Crucial Insights

A thorough and accurate risk assessment can unearth a host of crucial insights from even the deepest and darkest alleys of your IT environment to ultimately empower your decision making. Having actionable insights at your disposal can help you build strategies to reduce risk levels in practical ways instead of shooting in the dark by testing various tools.

Here are some of the most important details that become more apparent and unambiguous with every risk assessment.

Baseline of the System
A risk assessment helps you chart out the lifecycle of all data that is collected, stored and managed in your entire network.

Identification of Threats
A meticulous risk assessment identifies all the possible threats, such as intentional, unintentional, technical, non-technical and structural, that your business data is exposed to.

Identification of Vulnerabilities
With each assessment, you get the latest list of vulnerabilities prevalent in your network with respect to patches, policies, procedures, software, equipment and more.

Current Status of Existing Controls
From the assessment report, you can also understand the existing security and privacy controls protecting your business against vulnerabilities.

Probability of Impact
An accurate assessment report is fully capable of anticipating the probability of a threat that might exploit one of your network’s existing vulnerabilities.

Strength of Impact
Risk assessment also helps you gauge the possible impact of any threat hitting your business.

Imagine how easy it would be for you to build and implement a strategy to fix the security loopholes in your business while maintaining a well-documented record of your efforts.

Why Risk Assessment Is Needed for Compliance

While assessing whether you did everything in your capacity to ensure full compliance with the regulations, you also need to keep in mind that a regulator seeks evidence of compliance – documented reports. Besides helping you chart a successful path to compliance, a thorough risk assessment adds great weightage to demonstrating evidence of compliance. When you present the risk assessment reports along with other documentation, you demonstrate how your business carried out due diligence in upholding principles of data privacy and protection.

Please remember that no regulator expects you to have a fail-safe strategy. What matters is uncompromising intent, informed action and undeterred consistency. If you can demonstrate all this, you will most likely avoid any punitive action as well as a long list of problems could that surface afterwards.

Help Is Just a Conversation Away

Contrary to what is often claimed, there are no shortcuts to compliance or to any of the steps that lead to it. At the outset, achieving compliance might seem grueling. However, it isn’t as bad as it seems when due process and expert guidance is followed.

A conversation with us is all you need so we can help you walk through the complexities of risk assessment with diligent and customised guidance.

Cybersecurity-attack-surfaces

4 Reasons Cybersecurity Attack Surfaces Are Expanding

by Security

4 Reasons Cybersecurity Attack Surfaces Are Expanding

The COVID-19 pandemic impacted individuals and businesses all over the world in one way or another. Almost overnight, it disrupted the way people went about their daily routines and how companies operated. Amidst all the chaos, changes to the cyber landscape increased at an unprecedented pace. Some of the trends that powered these changes and continue to fuel them are:

1. Increased Use of Internet of Things (IoT)
• About 56 federal agencies in the U.S. reported using Internet of Things (IoT) technologies.1
• In 2021, experts expect the number of connected devices to reach 10.07 billion.2

2. Rapid Adoption of the Cloud
• Global public cloud end-user expenditure is expected to grow by over 18% in 2021.3

3. Digital Transformation
• IT spending is expected to hit $3.9 trillion in 2021.3
• Spending on digital transformation technologies increased from $1 trillion in 2018 to $2.39 trillion in 2021.2

4. Work-From-Home Model
• Over 70% of all departments and teams are expected to have remote workers by 2028.4

With an expanding attack surface comes cybercrime. According to an FBI report, cyberattacks have skyrocketed by over 400% since the start of the pandemic, making it imperative to identify and deflate cyberthreats for the health and future of your business.

Growing Cybersecurity Risks

1. Targeted Ransomware Attack
Ransomware attacks have long been a nuisance to businesses. Experts have estimated that about 10% of breaches reported in 2021, so far, involved ransomware.5 The success of this mode of attack is attributed to the simplicity with which an attacker can wreak havoc. It should worry everyone that ransomware kits are inexpensively available on the dark web.
Ransomware propagators are constantly devising new plans to evade defenses set by businesses. Without precautionary measures in place, SMBs could find themselves at risk.

2. Phishing Attacks
Phishing uses social engineering in email and cloud services attacks. Phishing attacks can lead to account takeover, credential theft and more. According to one report, phishing attacks increased by 11% in 2021 alone.5

Malicious actors using phishing scams as their method of attack are cunning enough to tilt every global event to their advantage. For example, when the pandemic started, phishing emails were sent out to the masses in the name of the World Health Organization (WHO). Later, when vaccines were rolled out, scam emails had a vaccine company’s name as the sender.

3. Insider Threats
Shockingly, close to 20% of breaches involve internal actors.5 The problem with insider threats is that they’re often the toughest to detect.

The most common causes of inside incidents are:
• Negligent employees or contractors 6 – 62%
• Criminal or malicious insiders6 – 23%
• Credential theft 6 – 14%

4. Fileless Attacks
A fileless attack aims to exploit the features and tools of a victim’s environment. It doesn’t depend on file-dependent payloads nor does it generate a new file. This leaves no footprint and makes fileless attacks very hard to detect. A fileless attack is reported to be 10 times more successful than a file-based attack.7

Fileless attacks can originate through an email that directs you to a malicious website. From there, using social engineering tactics, the cybercriminal can use system tools (such as PowerShell) to distribute payloads and execute commands. Since these system tools are part of your IT environment, the threat can evade outdated security systems.

How to Stay Protected

You can ramp up your IT security and protect your business by following these steps:

• Keep your systems updated and safe from cyberattacks that exploit known software vulnerabilities by automating patch and vulnerability management.
• Ensure effective and quick recovery from cyber disruption by backing up your systems and SaaS applications.
• Secure your systems by deploying advanced antivirus and antimalware solutions that provide endpoint detection and response (EDR).
• Make sure every new device has the necessary security tools to start with — local firewall, DNS filtering, malware protection, multifactor authentication (MFA) and disk encryption.
• Always be ready with an incident response plan. No breach can shake you if you have a robust action plan. The plan should have a communication strategy with all stakeholders, including your investors and valued customers.
• Provide regular security training to your employees and vendors.

If thinking about assessing your current cybersecurity posture gives you anxiety and you’re not sure where to start, don’t worry. We can take the assessment off your plate and suggest the right solutions for your business. An experienced partner like us can make your cybersecurity journey seamless and successful. Contact us today for your cybersecurity assessment.

 

Sources:
1. US GAO-20-577 Report
2. Statista
3. Gartner
4. Upwork Report
5. Verizon 2021 DBIR
6. 2020 Cost of Insider Threats: Global Report
7. Ponemon Institute

Anatomy of a Ransomeware Attack infographic cover image for blog

The Secret to Fighting Ransomware

by Security

Understanding How It Begins

Our infographic will walk you through the lifecycle of a ransomware attack step by step.

Every business owner knows ransomware is awful, but do you really understand what it is, how it works and to what extent it can damage your business?

Our infographic, “The Anatomy of a Ransomware Attack,” explains the seven key steps hackers take to successfully infiltrate an organization’s network. You’ll get a better understanding of:

  • How a cyber gang starts its operation
  • How they pick targets
  • How they get paid
    And more

Don’t let hackers stop you from achieving your business goals. Download the infographic now to learn how ransomware works and stop cybercriminals in their tracks.