10 steps to strengthen your IoT security: A guide for 2024

The Internet of Things (IoT) is experiencing rapid growth and is likened to the next industrial revolution. MarketsandMarkets predicts a substantial 26.9% compound annual growth rate (CAGR) for the IoT from 2017 to 2022, expanding from $170.57 billion to $561.04 billion. Global spending on the IoT is projected to reach nearly $1.4 trillion in 2021 by IDC. McKinsey forecasts that the IoT's total impact on the global economy could reach $11.1 trillion by 2025.

Despite its potential, the IoT has long been recognized as a security challenge. To mitigate risks and fully leverage the IoT's benefits, businesses can take various steps to enhance security.

Defend against DDoS attacks

Employ measures to defend against DDoS attacks, a significant security concern in IoT due to botnets. Cybercriminals exploit IoT devices in these attacks, which can disrupt web access crucial for business continuity. Ensuring constant internet availability is increasingly critical with the integration of mobile, software-as-a-service, and cloud technologies. DDoS has been a longstanding threat, leading to the development of multi-layered defense plans. Besides on-site protections, it is advisable to utilize ISP-based or cloud tools.

Update the passwords

Security standards for IoT are similar to those in other settings, emphasizing the importance of avoiding default passwords. Tools can generate strong passwords, but if creating them manually, adhere to these guidelines from the nonprofit Privacy Rights Clearinghouse:

• Avoid using the same password for different accounts.
• Refrain from using personal information in passwords.
• Avoid common dictionary words.
• Steer clear of using repetitive or sequential characters.
• Include special characters in passwords.
• Opt for longer passwords, as shorter ones are more susceptible to brute force attacks.
• Consider using a password composed of the initial letters of words in a phrase or song title.
• Store passwords securely, such as on paper in a locked place.
• Utilize a password manager, such as Firefox's, recommended by the PRC.
• Change weak passwords and regularly update all passwords.

Ban auto-connection

Ensure that no IoT devices automatically connect to open Wi-Fi hotspots, as advised by an April 2018 Online Trust Alliance (OTA) report covered by Jon Gold in Network World.

Integrate security into the procurement process

Consider the risk of IoT products along with their value. For example, connecting a refrigerator may not be wise. Recognize that every connected device is essentially a computer with vulnerabilities in its operating system and applications, as highlighted by Darren Anstee, CTO of Arbor Networks. Evaluate if the value added by connecting a device justifies the associated risks and the cost of securing it.

Once you determine that connecting the device is advisable, it's important to prioritize security when evaluating options before making a purchase. Research the manufacturer to determine if they have a track record of vulnerabilities and assess how quickly they have addressed them.

Delve into the documentation

Mika Majapuro of F-Secure advises carefully reviewing the terms and conditions. While it may not be the most exciting task, understanding this information will provide a clear understanding of the data collected by the device, thereby indicating potential vulnerabilities.

Implement secure endpoint hardening

Dean Hamilton, a veteran engineer and IT executive, suggests making IoT devices tamper-proof or tamper-evident. This can deter hackers and prevent them from accessing your data or exploiting your hardware in a botnet. To achieve this, it's important to have multiple layers of defense in place. Address all known vulnerabilities, such as unencrypted transfers, code injections via web servers, and open serial and TCP/UDP ports.

Keep devices updated with the latest patches

Ensure that your IoT devices receive and apply all available updates promptly. It's crucial to stay vigilant for any lapse in software updates, as extended periods without updates could indicate underlying issues. Manufacturers may also cease operations, leading to discontinued security support for your devices.

Isolate the IoT network from your main network

If possible, create a separate network dedicated to your IoT devices. Use a firewall to protect this network and regularly monitor it for any suspicious activity. By segregating the IoT network from your main IT environment, you can mitigate the specific risks associated with IoT devices. An effective method is to establish cloud infrastructure within a hosting data center that complies with the standards set by the American Institute of Certified Public Accountants (AICPA), specifically audited to meet the requirements of Statement on Standards for Attestation Engagements 18 (SSAE 18, formerly SSAE 16) Service Organization Controls 1 and 2 (SOC 1 and 2).

Strengthen the network

If you're using your own IoT network, it's crucial to ensure that it's well defended against threats. Implement robust access control mechanisms and a carefully designed user authentication process to prevent intrusions.

As mentioned earlier, passwords should be complex and sufficiently long to resist brute-force attacks. Consider using Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) to add an extra layer of security beyond the password, typically involving a code sent to a mobile device.

For IoT security, it's also important to employ adaptive or context-aware authentication. This method uses machine learning and specific context to continuously assess the threat landscape without compromising user experience.

Additionally, as previously mentioned, encryption is essential. Ensure that encryption is used to secure protocols at both the transport and network layers.

Embrace IoT with robust protection

The Internet of Things is increasingly integral to various industries. Therefore, device, network, and data security are paramount. By following these steps, you can reduce your risk and ensure that the IoT's value is not overshadowed by a costly, credibility-damaging intrusion.