Hidden Cyber Exposures in Internet of Things (IoT) Devices
WHY THIS MATTERS
The Internet of Things has made life easier by making it more convenient. However, there may be a hidden cost for this convenience.
The cost to individual end users may be surrendering some of your privacy.
The cost to industry, may be giving up your security.
In either case, inaction simply makes the cost too high.
Proactive steps to ensure IoT privacy and security need to be taken. That rests in the hands of the device owner or user.
Proactive steps to protect your business’s bottom line need to be taken. That rests in the hands of specialized cyber insurance broker and carrier.
There are no breaks on the darknet
Hackers evolve their skills in good times and bad times, before, during, and after COVID-19.
Who wins when it comes to IoT devices, the hackers, or the cybersecurity teams?
Reports indicate that in Q1 2020 the hackers are winning.
IoT devices possess some inherent security flaws, providing a gateway into networks storing personally identifiable information (PII), personal health information (PHI), and payment card information (PCI).
Individual IoT End Users
The more that we rely on technology, the more we need to take some necessary precautions to protect our privacy and security, especially during remote work.
Hidden Exposure: The Android Ring Doorbell App
This year, the Ring app’s third-party hack surprised users worldwide. An investigation by the Electronic Frontier Foundation (EFF) revealed that the Ring doorbell app for Android allows third-party trackers to share users’ PII (such as names, email addresses, app settings, sensor data, and private IP addresses) to four external analytics and marketing companies including Facebook, MixPanel, AppsFlyer, and Branch.
IoT Device Manufacturers
IoT device manufacturers bring a steady stream of new smart devices to market without security by design. The end users may simply set up the device with default settings and passwords, unwittingly opening the door to hackers and fraudsters.
As large enterprises seek to limit the cybersecurity vulnerabilities left open by the IoT device manufacturers, industries are exploring best practices to limit hidden IoT cyber exposures.
Detecting, Stopping, and Predicting IoT Security Breaches
This month, Microsoft announced that it would be acquiring CyberX, a security startup that focuses specifically on detecting, stopping, and predicting security breaches on internet of things networks and the networks of large industrial organizations.
Reports highlight that CyberX will complement existing Azure IoT security capabilities, the idea being to improve the security posture of IoT devices including those used in industrial IoT, Operational Technology and infrastructure scenarios.
Digital transformation involves understanding the emerging risk from the technology on hand as well as new technology. End users need to identify and connect existing IoT assets across wider physical footprints (such as factory or warehouse floors), then pay close attention to security flaws that need to be fixed.
IoT Malware Campaign Infects Global Manufacturing Sites
A reported malware campaign began in October 2019, targeting security flaws in networks at manufacturing sites North American, Latin America, Africa, and the Middle East. The hackers infiltrated a wide range of connected products using a self-spreading downloader running malicious scripts as part of the Lemon_Duck PowerShell malware family.
The global spread and variety of affected devices is having a significant financial impact on the manufacturing industry.
Regulations En Route
IoT manufacturers will need to adjust to new security standards -- if they have not already done so.
New laws include CCPA in California, the national Developing and Growing the Internet of Things (DIGIT) Act, IoT-focused laws introduced by the UK government, and the voluntary tool created by the National Institute of Standards and Technology (NIST).
Cyber Risk Management
Individual IoT device users need to take proactive steps to protect their privacy. Since security may not be built into a device, you need to use your own strong, unique password and consider the other privacy settings on the device.
IoT cybersecurity measures such as Endpoint Detection and Response (EDR) illustrate improvements in the IoT device industry. EDR, collects, records, and stores large volumes of data from endpoint activities to provide security professionals with the comprehensive visibility they need to detect, investigate, and mitigate advanced cyber threats.
The security by design approach to IoT cybersecurity provides protection built into the products. However, a major drawback of this approach is that it can only protect from known threats. Cybercriminals devise new cyberattack vectors at a faster pace than security by design, thus winning the battle.
Your business can survive a cyber loss due to an IoT device (such as a data breach or ransomware attack) with the insurance coverage and services provided by stand-alone cyber insurance:
- If you suffer a data breach, your business will need to stop the breach, investigate, notify all those impacted, recover, or restore your data, and possibly face claims or lawsuits by injured parties.
- Surviving is difficult to do without an incident response plan/team to:
- Stop a data breach or fend off a ransomware attack.
- Investigate a data breach or ransomware attack to stop future cyberattacks.
- Notify your clients, consumers, and employees (in compliance with various laws) after a cyberattack.
- Assist you with recovering or restoring lost or stolen data.
- Assist you with meeting your business continuity plan.
- If you suffer a ransomware attack, you can be compensated for the ransom payment (made with the prior written consent of the insurer) and for lost profits during the time business operations were disrupted or halted.
- If you are fined by regulators or credit card companies after a data breach, those fines are covered by cyber insurance (so long as allowed in the relevant jurisdiction under the particular facts of the matter).
- Precautionary steps with IoT devices are an important first step for the individual end user as well as the commercial entity.
- Setting up the security measures is in your hands – any inconvenience is worthwhile.
- Cyber Armada’s advocacy helps companies meet and fulfill reasonable security protocols and cyber hygiene as part of their cyber risk management.
- Transferring residual cyber risk to a stand-alone cyber insurance policy makes good business sense.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request and robust cyber solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.
Contact Cyber Armada today to examine how your company faces potential financial losses from business interruption caused by IoT or supply chain failure cause by a cyberattack. Contact us at 888.727.6232.
Please watch for our CCPA video in July.