Cybersecurity

Are IoT devices the weakest link in cybersecurity?

May 9, 2024
22 3 minutes read
Untitled design6
Digital Transformation 767x633.jpg


Insurers and commercial policyholders need to understand the cyber risks involved anytime a new device joins their network, says Sam Shay, creative director at Socotra. (Credit: Elnur/Adobe Stock)

Internet of Things (IoT) devices have inundated our everyday lives, with an estimated 14 billion IoT devices connected worldwide, according to Transforma Insights. From smart thermostats and refrigerators to connected cars, it’s hard to get through a day without interacting with an IoT device, especially considering most people carry one in their pocket or purse. However, in the era of connected living, these devices can pose a serious cybersecurity risk for insurers and their commercial policyholders.

“To think that their client’s data could be exposed by the refrigerator that the employee break room has would have been unthinkable 20 years ago, but that’s an extremely real threat right now,” said Sam Shay, creative director of Socotra. “[It] doesn’t matter how ‘smart’ or ‘dumb’ the appliance is — anything that is connected to your network through Wi-Fi is going to pose a serious threat.”

Hackers have commandeered IoT devices in the past to wreak havoc on personal lives and entire countries. In 2017, cybercriminals manipulated the firmware of over 465,000 implanted pacemakers, making it possible to drain the pacemakers’ batteries, steal sensitive data and change lifesaving settings. A year later, the Mirai Botnet dismantled internet access in various countries.

IoT device risks

Many IoT devices are untracked, poorly managed or unmonitored, writes Security Scorecard. Combined with weak passcodes, Botnets and the rise of AI-based attacks, P&C insurers and their commercial policyholders become more vulnerable whenever an IoT device comes onto the property. CompTIA investigated cyber risks for IoT devices and found these were the top four.

  • Data theft: Gaining improper access to personal information, including names, social security numbers, health ID numbers, phone numbers, user accounts and home addresses.
  • Service disruption: Using an IoT device (or multiple) to render crucial infrastructure unusable, such as a database, water system or power-generating dam.
  • Service or data manipulation: Adjusting IoT device settings to make the service unavailable, cause physical harm to the user or damage the device or other devices.
  • Non-compliance: Making changes in the IoT device that violates government privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

The “default password threat”

Some simple changes and protocols can mitigate the cyber risks of IoT devices, such as changing default passwords. Many IoT devices are installed with default passwords that are never changed. The organization Global Information Assurance Certifications (GIAC) dove into the “default password threat,” noting hackers don’t often need complex methods to access secured systems because default passwords still used in built-in accounts offer easier access.

Default passwords are user and password pairings used in a software, database, operating system or IoT device, such as a security camera or smart plug. These passwords are available to the public online, in vendor handbooks and other open sources. The SANS Institute recognizes default passwords as one of the top ten cybersecurity threats. Luckily, a new, stronger password can lower the cyber risk.

Reducing IoT cyber risks

In addition to updating default passwords, CompTIA recommends connecting IoT devices to secure networks with strong, unique passwords, adding firewalls to the company network and limiting the permissions allowed for the device. For example, a smart bulb or refrigerator likely doesn’t need access to your contacts.

Insurers and commercial businesses can enhance their IoT cybersecurity with these measures, says CompTIA:

  • Increase device monitoring with security information and event management (SIEM) and intrusion detection systems (IDS).
  • Enhance security features to encrypt stored and transmitted data.
  • Add more authentication to control IoT device connections to the network.
  • Adhere to IoT and ICS standards from the National Institute of Standards and Technology (NIST).

Related:



Source

May 9, 2024
22 3 minutes read

Related Articles

CRWD) Vs The Rest Of The Cybersecurity Stocks

CRWD) Vs The Rest Of The Cybersecurity Stocks

June 19, 2024
VPNs, Firewalls’ Nonexistent Telemetry Lures APTs

VPNs, Firewalls’ Nonexistent Telemetry Lures APTs

April 23, 2024
The WealthStack Podcast: Latest SEC Cybersecurity Rules

The WealthStack Podcast: Latest SEC Cybersecurity Rules

June 7, 2024
RAW: FILE: MICROSOFT'S ACCOUNTABILITY FOR CYBERSECURITY FAIL | Regional/National Headlines … – Local 3 News

RAW: FILE: MICROSOFT'S ACCOUNTABILITY FOR CYBERSECURITY FAIL | Regional/National Headlines … – Local 3 News

June 13, 2024
Back to top button