31 Aug Don’t Lose Sight of Security Among the Internet of Things
Did you know that there will be nearly 21 billion devices connected to the Internet by 2020?
According to Gartner, an information technology research company, 5.5 million new devices are connecting every day. This rapidly growing network of Internet-enabled physical devices capable connecting, communicating and identifying with other devices is commonly referred to as the Internet of Things. Not surprisingly, businesses are looking for ways to harness its power and potential. Unfortunately, hackers are too.
The Internet of Things adds a new security dimension that businesses must consider. A single insecure connection could expose not only sensitive information transmitted by a device, but everything else on a business’s network. Though there isn’t a one-size-fits-all approach, the Federal Trade Commission has identified various security measures that businesses can generally adopt to help minimize the risks created by the Internet of Things.
Encourage a culture of security. Designate senior executives who are responsible for security. Since most security breaches are avoidable, train staff to recognize and report vulnerabilities. Address security expectations and requirements in contracts with service providers.
Adopt a risk-based approach. Direct attention and allocate resources to protect network connections that are most vulnerable and sensitive information.
Consider (and reconsider) the need to collect or retain sensitive information. Steps must be taken to protect sensitive information that is collected and retained out of business necessity. Unnecessary sensitive information should not be collected or retained at all.
Manage passwords.Implement an effective way to manage passwords. Do not rely on default passwords.
Take advantage of readily available security tools.There’s a tool out there for a number of basic security testing tasks, such as scanning networks for open ports, reverse engineering of programming code or decompiling, checking password strength and scanning for known vulnerabilities. Many of these tools are free, and some of them work automatically.
Protect interfaces between devices and servers. Weaknesses are often found at the point where a device communicates with servers. The interface between a mobile device and the cloud, for example, could create an opening for hackers to access an entire network. There are a number of ways to test entry points for weaknesses. “Fuzzing” is a method that sends a device or system unexpected input data to detect possible defects. Businesses should use manual and automated tools to test interfaces.
Limit permissions. Access to sensitive information should be limited to only those who actually need it. Limiting access to the lowest level that will allow for normal functioning is known as the principle of least privilege. To maximize effectiveness, permission limits must strike a balance between utility and security.
Utilize encryption. Standard encryption techniques are available to protect sensitive data that is stored on devices and transmitted to networks. Not all encryption is created equal, so stronger encryption methods should be selected over weaker ones.
Emphasize authentication. Security starts by making sure people are who they say they are. The importance of proper authentication has magnified the Internet of Things. An authentication failure involving a single connected device could expose the entire network to which the device connected. Depending on the nature of a business or its sensitive information, additional authentication measures may be necessary. For example, a two-factor authentication process that requires a password and a secure token.
Finally, businesses must remember that data security is a dynamic process that requires constant attention and frequent adjustments. Since hackers are constantly adapting, so must security measures. Nevertheless, it’s impossible to protect against every cyber threat or prevent every data breach, so business should seriously consider Cyber Liability Insurance. Unlike traditional business insurance policies, Cyber Liability and Security Breach (Cyber Perils) Insurance policies protect against privacy injuries, such as identity theft, and cover the cost of complying with data breach notice laws.
Given the complexity of the risk and the absence of one-size-fits-all coverage, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats.
Additional information is also available in our weekly Risk Management Newsletters.