A survey by Palo Alto found that a majority, or 81 % of IT decision-makers reported an increase of non-business IoT devices connected to their organisation’s networks from remote workers in the last year. As hybrid work becomes commonplace, IoT devices now presents new security challenges as just one vulnerable IoT sensor can provide cyber criminals entry into a corporate network.
iTNews Asia speaks to Vicky Ray, Principal Researcher, JAPAC, Palo Alto, to find out how organisations in vulnerable industries can better protect their networks from IoT cyber security risks.
iTNews Asia: Which industries are particularly vulnerable to IoT cyber-attacks?
The healthcare industry is particularly vulnerable to IoT cyber-attacks due to poor network security hygiene. According to the 2020 IoT Threat Report, 72% of healthcare networks mix IoT and IT assets, allowing malware to spread from users’ computers to vulnerable IoT devices on the same network.
Furthermore, the long lifecycles of medical IoT devices make the industry one of the top offenders of running outdated or even end-of-life operating systems with known vulnerabilities, exposing healthcare workers, patients and computer systems to significant risks.
Additionally, it is important to highlight that the rise of IoT devices pose an increasing risk to companies, as unsecured and vulnerable IoT devices may act as the gateway to enterprise networks. Our global IoT security report found that 81% of respondents in Singapore, saw an increase in non-business IoT devices on their corporate networks in the last year.
With remote and hybrid work being here to stay, attackers can target home IoT devices as the initial attack vector to gain entry to enterprise networks. As such, all organisations with a remote workforce will be susceptible to such attacks.
iTNews Asia: What is the potential impact and extent of damage organisations will face if they do not address IoT cyber security concerns and what are the possible attacks we are looking at?
Based on the global IoT security report, IT leaders identified Industrial Internet of Things (IIoT) attacks (55%) and Distributed Denial of Service (DDoS) attacks (50%) as the top two security risks they are most worried about.
The pandemic brought IIoT attacks to the fore as manufacturers had to accelerate their digital transformation journey to cope with the disruptions in the past two years, making previously unconnected devices now connected to each other and to the enterprise network.
Equipment and machinery are equipped with smart sensors that track and record data in real-time, which inadvertently gives hackers the opportunity to exploit sensitive industrial information in exchange for a ransom. Sabotages to the industrial environment could cripple supply chains and critical infrastructure that provide daily necessities and services for people.
DDoS attacks are an increasingly significant threat because of the rise in attacks on virtual private networks (VPNs). Attackers can cause severe disruptions by controlling a large network of infected computers all while remaining undetectable due to the distributed nature of the attacking system.
In addition to paying attackers to stop the attack, organisations whose networks have been inundated by a DDoS attack also suffer losses in time and money from the resulting downtime.
The ubiquity of IoT devices will increase the amount of data and networks connected to each individual, enabling cyber attackers to exploit vulnerabilities through our everyday devices.
-Vicky Ray, Principal Researcher, JAPAC, Palo Alto
iTNews Asia: How can SMEs better protect themselves from IoT cyber-attacks?
SMEs should microsegment IoT devices within security zones - an industry best practice where organisations create tightly controlled security zones on their networks to isolate IoT devices, preventing hackers from moving laterally on a network.
Dividing their networks into zones creates a Zero Trust architecture, a security philosophy that eliminates the concept of trust in an organisation’s network architecture. It means that no users, devices, or applications are trusted, and that everything on the network needs to be verified.
Additionally, it also requires SMEs to get complete visibility of all the IoT devices connected to their network, and keep an inventory of all IoT assets. The end goal is to create a network that allows access only to the users, devices, and applications that have been verified and to deny all other traffic.
iTNews Asia: How will IoT security risks evolve as we move into 2022?
IoT devices have blurred the lines between our physical and digital environments. As a result, IoT security risks could also cross digital boundaries and have real impacts on our physical world. As we enter the Web 3.0 era, our ability to control and interact with smart devices that have intuitive sensory triggers will be enhanced. From smart light bulbs to autonomous vehicles, the ubiquity of IoT devices will increase the amount of data and networks connected to each individual, enabling cyber attackers to exploit vulnerabilities through our everyday devices.
Furthermore, with 5G being made available across the region, more homes and buildings will be able to incorporate IoT devices such as voice-activated assistants and app-controlled systems into their facilities. IoT cyber-attacks will have far-reaching consequences, as attackers can target cars and buildings to damage our material properties, and potentially lead to the loss of lives if they target medical devices used in life-threatening situations.