The number of personal devices–such as medical wearables, smart gym equipment and connected kettles–that employees are connecting to business networks is on the rise. At home, the number of connected things also keeps growing. Whilst they may bring us convenience and lifestyle benefits, for the security team these devices can often be a cause for concern.
A vocal advocate for stronger and more proactive cybersecurity practices, Greg Day has lived and breathed cybersecurity since the earliest days of the industry in Europe. Greg is vice president and Chief Security Officer for EMEA, Palo Alto Networks, and works in an advisory capacity for a number of industry and governmental organisations, such as Europol.
Passionate about increasing the understanding of the security challenges businesses face and the ways in which cybersecurity can empower organisational change and growth, Greg discusses how connected devices can pose a serious and increasing risk to financial services organisations and what they can do about it.
Increasingly, the things around us are connected. Whether in our homes or offices, devices as varied as watches, kettles, cars and toys are now connected to the internet. This network, the so-called Internet of Things (IoT), is set to grow massively as microchips find their way into millions of previously ‘dumb’ objects. Indeed, according to GSMA Intelligence, by 2025 there will be 24 billion connected devices. This is despite the fact that short term spending on IoT projects will be constrained owing to difficult market conditions resulting from the pandemic.
Moreover, the true realisation of 5G is (almost) here. 5G’s arrival will enable better connectivity than traditional fixed networks while at the same time empowering huge volumes of connected devices.
The issue is that each and every one of these devices represents a potential security vulnerability. Networks are only as strong as their weakest link. Recent analysis by my company’s threat intelligence analysts, Unit 42, uncovered that 98 percent of all IoT is unencrypted, whilst 57 percent of IoT devices are vulnerable to medium- or high-severity attacks. In a connected world where sensors that cost pennies are connected to business networks that support multi-million-pound businesses, it is clear how their increasing prevalence poses a serious security issue.
The potential risks were recently revealed in some research we conducted into how businesses secure the Internet of Things devices on their networks. The survey revealed that technology leaders acknowledge that they need to make significant improvements in how they approach IoT security in order to keep their organisations safe.
We also looked at how IT decision-makers in the international financial services sector perceive IoT security. In financial services there are real security risks from the personal devices that people are connecting to business networks. The top five devices found on networks amongst financial services businesses were connected kitchen equipment (39 percent), connected personal medical devices (37 percent), connected gym equipment (33 percent), games consoles (31 percent) and smart toys and connected cars (both 22 percent).
It’s important to note that many of these devices are not typically built with security in mind and so can provide an easier point of entry into a business’ critical systems and applications.
Fortunately, there is a recognition amongst those in financial services that things need to change. One in two IT leaders from financial services companies responded that there needed to be a major improvement to IoT security practices. Moreover, a similar number (53 percent) reported that they do segment IoT devices onto a dedicated network. This shows that many have at least taken one of the first basic steps to preventing attackers crossing over from a compromised device into critical systems to access valuable information.
Nonetheless, it does still remain the case that one in five of respondents from financial institutions say they are not segmenting their IoT devices on a separate network from the one they use for primary devices and key business applications (HR systems, email servers, finance systems, etc.). For these businesses, it is critical that they address this in order to prevent attackers from entering the network via an easy route and then jumping across to access sensitive information or critical systems from there.
The research shows there’s more we need to do to close the gap in IoT security strategy, especially as technology teams deal with the proliferation of such a diversity of connected devices at an exponential pace.
Visibility is critical to realising the business opportunity and understanding the risks of IoT. This is because most devices use proprietary methods, which are increasingly encrypted. If you cannot tell what a thing is or what normal looks like, you cannot define what that device should be allowed to access and why? More critically, how do you spot a change that could either be good, new capabilities, or bad with the device compromised and being used as a gateway for attack.
With the influx of IoT, including the supply chain sub-dependencies that they entail, organisations should never assume they are adequately secured. The lack of standardisation in security controls between device manufacturers and the value of IoT devices varies so wildly between a few to millions of pounds. Quite simply, businesses cannot afford to expect the same level of investment in security controls when the IoT asset value varies so greatly.
In office environments, the blend of personal devices, such as medical wearables, and business systems, such as building management controls, already created challenges for businesses to segment and separate risks. With many people now working from home and set to continue to want to do so after the pandemic, security teams are facing an even bigger problem. Business devices and laptops are sharing networks with smart doorbells, heating systems, smart TVs and digital assistants. At the same time, some work device lockdown controls have been watered down to accommodate business requirements, such as home printing. There can be thirty to fifty devices connected to a home network. In a business environment, this would be cause for higher levels of security but at home this is rarely the case. Indeed, it is rare that even basic steps such as changing default passwords have been done.
With home networks security teams are finding it difficult to separate out all the Things connected to the network at the device level, as they typically would. For this reason, this separation needs to take place at the application level, so decreased communications tunnels can be set up between the required business applications. This moves security beyond the simple decision of ‘allow or block’ to an approach that is far more aligned with business requirements and specific use cases, recognised in security circles as segmentation.
IT and security teams need to embrace the visibility of IoT devices and then segment both their critical digital business assets and align IoT things only to the business processes required. It is this micro-segmentation of devices, the next step in the IoT security journey for most financial services businesses, that will ensure that highly valuable and sensitive data is not put at risk by an exercise bike, a connected car, or someone’s connected teddy bear.