Engineering news
As more and more ‘things’ are connected to the internet, the problem will only get worse. Many Internet of Things devices have inadequate security. That is a huge cause for concern when any device can represent an entry point to the wider network, and when they can be harnessed to form ‘botnet armies’ that can carry out large-scale attacks.
An industrial facility could be put out of action, either to cripple production or for ransom. It’s already happened: in 2014 attackers used a combination of targeted emails and social engineering techniques to infiltrate and take control of a steel mill in Germany. In the absolute worst case, a breach at a nuclear power plant could trigger a meltdown, potentially leading to catastrophic loss of life and devastating environmental consequences. The recent WannaCry ransomware attack clearly demonstrated the havoc that could be unleashed on hospitals and other critical facilities.
Sadly, it’s no longer a question of ‘if’ a security breach will happen but ‘when,’ and companies of all sizes, as well as individuals, need to prepare accordingly.
I recommend a three-stage approach. First, prevent, as far as possible, an attack from taking place, by conducting a risk assessment to identify and patch any vulnerabilities. Second, ensure that if an attack occurs it does not spread and that, if a system is compromised, it is difficult for the intruder to leave with anything useful.
Third, have a clear risk mitigation plan that can be implemented as soon as a breach is suspected or identified. The plan should comply with any applicable regulations. For example, any company doing business in the EU will need to comply with the General Data Protection Regulation that will come into force next May and provide hefty fines for non-compliance.
If you haven’t already started preparing, do so now!
A good place to start is to identify all devices and applications on the company network (including employees’ own devices), ensure they are all secure and then secure the network itself. If you have a lot of connected devices, consider setting up a separate private network for them to reduce exposure. Restrict access to sensitive applications or data to only those employees who need it, or for limited periods of time. If you use public cloud services, dedicated private connections that bypass the public internet are now widely available.
These measures will not reduce the need for standard security tools such as anti-virus software, firewalls and malware detection. The more layers of security that can be built in, the better. And the more up-to-date and advanced those security tools are, the better.
This may all sound expensive but any cost should be weighed against the potential cost of a breach, which may be reputational as well as financial. That said, there are plenty of free and low-cost security devices and services, such as webcam stickers or USB data blockers which allow a device to be charged via a USB port while preventing data from being transferred or accessed. Free password management and encrypted messaging apps abound, while anti-phishing software providers often make available free phishing simulation tools to test employee vulnerability.
Many security firms offer cost-effective options for small businesses and provide free trials so you can be sure the solution is fit for purpose and meets your needs before any money changes hands. There is also plenty of free advice available, from solution providers as well as industry associations and regulators.
Download the report Securing the Internet of Things at: goo.gl/G1hP4c