IoT: The good, the bad, and the unsecured

IoT

As Black Friday and Cyber Monday approach, anticipation is growing for this year’s snips, steals and deals on Internet of Things (IoT) devices. However, amid the thrill of Black Friday bargains, it is crucial to exercise caution and consider the potential security implications associated with purchasing and deploying IoT devices. 

What is IoT?

The Internet of Things, commonly referred to as IoT, is essentially a web of gadgets that share information and the cloud.

The concept first came about in 1982 when Carnegie Mellon University students linked the department vending machine to their computer, allowing them to check if drinks were in stock and chilled.

However, this wasn’t the first true IoT device, as Tim Berners-Lee’s World Wide Web was still seven years in the future. That honour goes to a toaster created in 1990 by John Romkey. This bizarre device was equipped with a crane system for inserting the bread.

IoT has continued to expand from here and, based on the most recent data, around 15 billion IoT devices are currently connected. It’s anticipated that this number will nearly double, reaching 29.42 billion by 2030.

Want to protect your business but not sure where to start? Check out our free guide to protecting your business on a budget.

Where is IoT used  – The good, the bad and the bizarre

IoT is used in our homes, offices, manufacturing machinery, agriculture and more. More specifically, this includes smart home devices such as fridges and dishwashers, wearable technology like smartwatches, and medical devices, with pacemakers being a great example.

IoT has the potential to enhance our lives. For example, by facilitating independent living for the elderly with conditions like dementia. This is achieved through IoT technology that gathers atmospheric data linked to residents’ movements within their homes. Should the activity drop below a certain threshold, a device will immediately notify family members or carers of a potential emergency.

Whilst working as a detective in the police, I saw IoT employed for malicious purposes on many occasions. One such occasion was when following a recent relationship separation, the one-time couple had to maintain contact due to their young child. However, whilst Mum was out with her baby she would frequently bump into the child’s father. 

After months of this and other strange activities occurring, it was discovered that a tracking device had been placed in the child’s pushchair. This shared real-time location updates and allowed impromptu meets between father and child.

As you might expect, there are also many bizarre IoT devices out there, including smart egg storage devices that can track the age of eggs and send alerts when your egg stock is running low. Although some may say that is a cracking idea!

IoT security vulnerabilities

A security vulnerability within an IoT device could be several things, from insecure default settings to a lack of physical security. This could allow anybody to log into the device by not requiring authentication. Or, where there are log-in details required, using default credentials such as a username and password of ‘admin’.

Many of us will have IP (Internet Protocol) CCTV both in our homes and places of work. Vulnerabilities may exist in these too. Failing to ensure updates are applied to our CCTV could leave known vulnerabilities unaddressed, making it susceptible to exploitation. I have seen many cases of IP CCTV being hacked and people’s personal lives being streamed live on the internet for the world to watch.

What can we do to protect ourselves?

The first thing that we can all do before we click buy on that new device, is to ensure that we are buying it from a reputable company. There are so many devices available to us for comparatively little cost. But buyer beware, often a low price can mean poor security. 

Although we can’t all be expected to comprehend the intricate technical workings of our devices, we can develop a basic understanding of security best practices. This should help ensure that the IoT devices we bring into our homes or workplaces are safe.

So, what are some of the things you can do? In no particular order, here are some of the basic requirements for cybersecurity.

1. Change default passwords

Ensure that you’re using strong and unique passwords to access devices. If in doubt, use the NCSC’s ‘three random words’ approach.

2. Apply patches and updates

Security updates and patches are extremely important in fixing any vulnerabilities in the operating system or firmware installed on your devices. Without these patches, cybercriminals could easily exploit vulnerabilities to hack into your device. 

3. Configure your routers and firewalls to block external traffic

To keep IoT devices within your home safe, you must ensure that nothing outside your home network can connect to your device. By configuring routers and firewalls to block all external traffic you’ll prevent hacks.

4. Only purchase devices with high-level security protocols

Try and stick to devices with a connectivity protocol that is secure by design and uses a low data throughput such as LoRaWAN (long-range wide-area network). You should find these details in the specs of any reputable products.

5. Check your privacy settings

We’ve already mentioned passwords, but there are a few other things you can do to improve your privacy and security. First of all, set up multi-factor authentication (MFA) on all IoT devices, whether that’s biometric authentication (such as fingerprint or facial recognition), a one-time passcode, or security questions. 

MFA makes it much, much harder for any would-be hacker to gain access to your device even if they manage to find it on a network.  

Finally, the single most important thing that we can all do when it comes to security is to keep ourselves updated and aware of new and emerging threats. So, if you’ve read this far, well done.

Cost of living CTA 3

5 ways to protect your business from cyber threats this holiday season

Holiday season

Black Friday, Cyber Monday, the January and Boxing Day sales. The busiest retail period of the year is almost upon us. But while the holiday season often brings with it bumper sales figures for retailers and bargains for consumers, it also comes with a heightened risk of cyber threats. 

For example, November 2020 saw an 80% increase in the number of common email phishing scams reported. Meanwhile, the UK’s National Cybersecurity Centre (NCSC) has been gearing up for the period by releasing updated guidance for consumers on how to shop online safely. 

However, what’s often less widely discussed is the impact this can have on small businesses. Even if your business has nothing to do with retail, you’re still at risk. Here’s why and what to do about it. 

What risks does the holiday season bring? 

Before we look at the risks themselves, it’s important to note that the festive season doesn’t necessarily mean more targeted attacks on SMEs themselves. 

However, who among us hasn’t done the odd bit of lunchtime shopping on company devices or personal devices used for work? And it’s this clandestine bargain hunting that poses the problem. It gives cybercriminals a route into your business. 

Phishing scams

Phishing scams are a year-round problem. But during major retail events like Black Friday, the chances of a successful attack grow exponentially. With so many of us frantically shopping around for the best deals, our ability to spot the telltale signs of a scam often diminishes as quickly as our bank balances. 

It’s a simple but potentially disastrous equation. If you’re in a bit of a rush, you’re not in the best frame of mind for considered judgements. And, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Fake online retailers 

Black Friday often comes with a deluge of fake websites claiming to sell this year’s must-have products at bargain prices. Unfortunately, most of these are simply fronts for cybercriminals to acquire consumers’ data or launch attacks. Like phishing scams, these can be hard to spot in the hurly-burly of major retail events, making a successful attack much more likely. 

Outdated software 

Again, this is a problem 365 days of the year. But the festive season provides the perfect cover for hackers to test out the vulnerabilities of popular software. 

Firstly, because technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. Secondly, because many consumers will suddenly be using apps they haven’t used or updated in months, often on devices with access to your business data. 

Public and home networks

You probably have decent network protection in your physical workplace, but do your staff working from home? And does the cafe around the corner with the free WiFi that everyone uses?

Unsecure public and home networks don’t stop being a problem for the rest of the year, but during busy retail periods, when people are much more likely to shop online, the risk is heightened. It gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

You’ll hear us talking about the importance of strong passwords a lot. It’s the simplest thing you can change to improve your cybersecurity. However, passwords become doubly important in busy retail periods due to the amount of traffic on popular sites. It’s the perfect setting for cybercriminals to try out large-scale brute-force attacks and find out whose passwords aren’t strong enough. 

What can you do to protect your business? 

1. Educate your team about the risks

A huge proportion of successful cyber attacks stem from human error (95% according to some) so helping your team understand the risks is crucial to avoiding them.

You should approach this in two ways: immediate education and long-term training. In the short term, educate your people on the risks outlined in this piece. It doesn’t have to be more than a short email sent out before the festive season really kicks off.

However, a quick nudge to your staff to be mindful of the risks is no substitute for long-term behavioural change. For this, you need security training. How you approach this will largely depend on your business and the cybersecurity knowledge within it but, to get you started, we’ve put together a short blog on the subject. 

2. Patch your software

The importance of updating your software can’t be overstated. Without regular updates, you leave plenty of little holes in your software for cybercriminals to exploit. So, ensure everyone in your business is constantly installing updates and patches for the software on their devices – even if it’s an app or tool they rarely use. 

It’s a simple thing and won’t take you more than a few minutes each month. But, it can also work wonders for improving your cybersecurity. 

3. Provide staff with clear cybersecurity policies 

We say this a lot but it never gets any less true. If your people don’t know what security behaviours are expected of them at work, they’ll keep getting it wrong.

Clear, well-crafted company policies on cybersecurity and data protection can go a long way to removing confusion around the subject. And, most importantly, help diminish the risk of a successful attack. 

A good cybersecurity policy should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. For more on how to build one, read this.

4. Practice good password hygiene 

Like patching, this is a simple fix that can immediately improve your cybersecurity. So what does good password hygiene look like? Well, we recommend four steps:

  • Use complex passwords that make it difficult for cybercriminals to guess or brute force their way in. The NCSC’s ‘three random words’ is a great approach to this
  • Change passwords regularly
  • Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
  • Use two-factor authentication (2FA) wherever possible

And, once you’ve undertaken these four steps, roll it out to your business. Create a password policy and make sure everyone follows it.

5. Use a VPN 

Last, use a Virtual Private Network (VPN) for all remote work, even those trips to the local coffee shop. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware.

A VPN can help you counter this by creating a secure connection to business systems and data, from wherever your staff choose to work. 

Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.

Remote working CTA

How to keep your business (and people) safe this Black Friday

Black Friday

Black Friday is nearly upon us. Cue endless headlines about e-commerce retailers recording their ‘best day ever’ (since last year) and photographs of monstrous queues outside department stores.

In amongst the frenzy of articles titled things like ‘10 of the best deals on electricals this Black Friday,’ you’re also bound to find a few on safety- how to stay physically safe during the hustle and bustle or how-to’s for shopping securely online. 

However, what you won’t find is much guidance for small businesses. Black Friday brings with it a heightened risk of cyberattack, particularly in an environment when many SMEs are working remotely. So, to help you get your business through this year unscathed, we’ve put together a brief overview of the risks and some suggestions on how to avoid them. 

What cybersecurity risks does Black Friday present? 

Black Friday is a veritable all-you-can-eat buffet for cybercriminals. Millions of online shoppers, in a rush to grab that must-have deal, often means widespread carelessness on a scale that simply doesn’t happen any other day of the year – with the exception of China’s Single’s Day

Hackers look to exploit consumers temporarily taking leave of their better instincts in a number of ways. Let’s take a look at some of them.

Phishing scams 

Phishing scams are a year-round problem. We’ve all had a fake email from a major retailer that’s almost a carbon copy of the real thing but for the slightly misaligned logo, weird syntax or font that just doesn’t look quite right. 

However, during a major retail event like Black Friday, the chances of a successful scam go up. If you’re desperately trying to get a killer deal for a new TV and an email comes through telling you that you’re billing information needs updating, you’re much less likely to spot a fake. 

You’re probably in a bit of a rush, never the best frame of mind for considered judgements. What’s more, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Old apps 

Again, this is a problem 365 days of the year. But a major retail event provides the perfect cover for cybercriminals to test out the vulnerabilities of popular software and applications for two reasons. One, technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. And, two, because many consumers will suddenly be using apps they haven’t used or updated in months – giving cybercriminals an easy route in. 

Is your business considering switching to remote working permanently? Don’t make a decision before reading our new guide, Cyber Safety in a New Era of Work.

Fake websites 

Much like phishing scams, Black Friday usually comes hand-in-hand with a glut of fake websites claiming to sell this years’ must-haves at bargain-basement rates. Most of these sites are simply fronts for hackers to acquire data or launch attacks on unsuspecting consumers. 

Public networks

This is unlikely to be a problem at your workplace. But you’d be surprised how often people pop to the local coffee shop for lunch and log into an unsecured public WiFi network on a company device. And this is all the more likely on Black Friday as people check out the latest offers during their lunch hour. 

The problem is this gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

We’re often banging the drum about the importance of strong passwords. And although it’s vital all the time, it’s particularly so during an event like Black Friday. With so much traffic on popular sites, it’s the perfect time for cybercriminals to try out large-scale brute-force attacks. 

How does this affect SMEs? 

You could be forgiven for wondering what the risks we’ve outlined have to do with your business? After all, aren’t they all related to consumers?

Unfortunately, that’s just the problem. We’re all consumers. And your business is made up of them. Whether it’s on their lunch break or in a spare 15 mins before meetings, it’s highly probable that at least some of your people are going to spend time buying or browsing this Black Friday. This could open up your business to some of the risks we’ve run through so far. 

If, like most companies, your staff are working from home the risks are even higher. As research from ZDNET reveals, 52% of employees believe they can get away with riskier behaviour when working from home. This includes activities like browsing suspect websites and using public networks.

How can you protect your business? 

So what can you do about it? With Black Friday just a few days away, here are a few quick tips for keeping your business safe.

Educate your people

Most risky cyber behaviour stems more often from ignorance or carelessness than malicious intent. So educate your people about the risks we’ve covered in this piece. It doesn’t have to be more than a quick all-company email later this week.

Ensure everyone has the right security

Check that all corporate-owned or managed devices have the latest security capabilities correctly set up. With many people working from home, ensure the same practices you’d insist on in the office are being used everywhere. 

Practice good password hygiene

All your employees should be using complex passwords and two-factor authentication, as well as changing passwords regularly. So, set up a password policy with these requirements and ensure everyone follows it. 

Run the latest versions of all software

Ensure everyone is regularly installing updates and patches for the software on their devices. You can read more about the importance of patching and updates here

Encourage staff to shop on personal devices

It might not sound like much, but limiting the number of sites your people visit using company devices can minimise the risk of attack. So by all means let your employees shop ‘til they drop, but keep it to personal devices. 

Secure your network gateways

It’s easy to forget about WiFi itself when thinking about cybersecurity, but it’s a crucial part of good cyber hygiene. Changing the default settings and passwords on home routers can help reduce the likelihood of staff being attacked and, in turn, reduce the risk of a breach for your business. 

‘Black Friday’ always sounds a bit like an economic disaster or tragedy. And, in cybersecurity terms, it certainly has the potential to cause problems. However, by following the guidance we’ve provided, you should have everything you need to ensure this year passes without a hitch. 

Want to know more about how to reduce the risks involved with remote working? Then download our new guide, Cyber Safety in a New Era of Work.

Remote working CTA