A Beginner’s Guide to IoT Security

If you’ve connected anything “smart” to your network, welcome to the Internet of Things. Before you get too comfortable, be sure to secure your systems and data against attacks on these entry points.

We may receive compensation from partners and advertisers whose products appear here. Compensation may impact where products are placed on our site, but editorial opinions, scores, and reviews are independent from, and never influenced by, any advertiser or partner.

Updated November 20, 2020

Save as PDF

Everyone is talking about the Internet of Things, although most outside the tech world struggle to define it. For one thing, your iPad and mobile phone are not really part of the Internet of Things (IoT) because they were designed to connect to the internet.

We’re talking about products that traditionally were “disconnected” until someone had the bright idea to make them “smart.” So, they added sensors and software, and that’s how the world was introduced to the Quirky Egg Minder, the HapiFork, and the Alexa-enabled Big Mouth Billy Bass, which, not surprisingly, is currently unavailable on Amazon.

For many, the Internet of Things remains either a nebulous threat or a universe of possibilities. For small businesses, it’s a little bit of both.


Overview: What is IoT security?

While few small business owners need to worry about securing their singing fish (at least at work), there’s a good chance they’re making use of connected products in some form every day. The challenge is ensuring those devices — such as entry and exit systems, HVAC devices, security cameras, and digital assistants — do not fall prey to hackers hunting for IoT vulnerabilities.

The goal of securing your IoT system is to allow the business to benefit from smart devices’ features while not giving threat actors access to your data. This is challenging because, if a device connects to the internet to allow you to access information, it’s a good bet there’s someone on the internet actively seeking to access your information through that device.

“Every small business owner needs to know that IoT devices are little websites with other functions added,” says Greg Scott, author and cybersecurity professional. “Maybe they're security cameras, door locks, thermostats, or even coffee makers. But if a business owner exposes an IoT device to the internet, then automated armies of attackers will try to penetrate it.”

According to research conducted by F-Secure, IoT devices suffered 760 million attacks in the first half of 2019. This was 12 times higher than the number of attacks in the same time period in 2018. IoT devices increasingly are under fire by threat actors, and it’s essential for small businesses to secure their IoT devices and protect their assets.


The 3 most common workplace IoT devices

According to Allan Buxton, director of forensics at Secure Forensics, IoT devices can be divided into two categories: local devices that require network access for some of their functions and cloud-connected devices that require internet access to function at all. For example, a smart TV will still display cable or antenna signals without internet access but connecting it to the internet allows access to streaming services such as Netflix.

Common IoT devices include networked security cameras, lighting systems, HVAC controls, door locks, and badge readers. Each of these devices or systems needs to connect to the internet to relay information to a central management portal and to receive actions or updates based on what the operator intends.

“[A common business example would be] remotely controlling the heating and cooling in your office based on occupancy or weather patterns,” says Ellen Boehm, senior director of IoT product management at Keyfactor. “If a device is on your network and isn't secured properly, then a hacker potentially can get into your system through a weak device and target your business for ransomware, or execute DDoS attacks, which take control of your devices and use them to attack other servers.”


1. Security cameras

Security cameras, including video doorbells, allow on-site and remote security teams to surveil all entry points of a location without posting round-the-clock guards at each spot.

However, if not secured, hackers can steal your video feed, manipulate it, repurpose it, and post it online. Also, if they seize control of the feed, they can position the camera to allow them to view security codes being entered into smart locks putting your offices at risk.

Earlier this year, not-for-profit consumer watchdog organization Which? found more than 100,000 security cameras in the United Kingdom potentially have security flaws that put them at risk for hacking.


2. Smart locks

Smart locks — often used in combination with smart security cameras, smart alarms, and video doorbells — are meant to improve security by allowing companies to control access to their physical workplace. Many small businesses use them as a replacement for a full-time front desk attendant. Because users must input a code or swipe an identification card, it removes the risk of lost keys falling into the wrong hands.

In 2016 (yes, AGES ago), a security researcher tested 16 Bluetooth-enabled smart locks. He found 12 offered poor to no protection. The tools he used to hack the locks were purchased on Amazon. He found the locks vulnerable due to easily decoded passwords, hackers intercepting data transmission to a network, attacks on the software code embedded in the device, and attackers impersonating another legitimate device on a network.


3. Printers

Printers technically are not considered IoT devices, but many security professionals include them as such because they often use IoT applications when attached to the network.

Over the summer, online security website Cyber News carried out an experiment to see just how vulnerable connected printers were to attacks. Its team used IoT search engines to find open devices that used printer ports.

They identified 800,000 accessible printers with network printing features and estimated they could successfully target 500,000 of them. They selected a sample of 50,000, created a custom printing script, and hijacked 27,944, forcing them to print out documents they transmitted to them.


7 ways to secure your IoT connected devices

Although smart locks, security cameras, and printers are the most common IoT devices in the workplace, remember to look in unexpected places for other culprits: the breakroom coffee pot, the voice-controlled TV in the reception area, the CEO’s Alexa-enabled Echo, the automatic lighting in the restroom, and on and on. If you are using some kind of endpoint security software, you probably are monitoring the activity on these devices.

“IoT devices provide many advantages for business owners along the lines of improving visibility into their operations, managing or monitoring energy usage in facilities, or optimizing manufacturing environments,” says Boehm.

“But it's extremely important to ensure that IoT devices within your network are not creating entry points through which bad actors can compromise your business or customer experience. The way to manage this is through secure, authenticated connections established between the IoT device and other endpoints that it communicates with.”

1. Research vendors and brands

Thoroughly research products before purchasing. Even if you don’t intend to connect them to the internet, if a device plugs into a wall, you should check if it has the ability to connect to a network. If you don’t need your coffee pot to sense when you need to make a new pot, you’re better off purchasing a model that simply makes coffee.

You’ll also want to research the vendor/brand’s history and reputation from a security standpoint. This is a good idea for ANY device these days, but for items that will access sensitive data — such as POS systems, printers, and security cameras — it’s essential.

“While we can take steps to secure our data and networks, researching the products before investing in them will tell us about a vendor’s focus on security,” says Lumena Mukherjee, cybersecurity consultant, Sectigo Store. “Past security bugs found in any of their manufactured devices and their response to security vulnerabilities are generally good indications of how much effort was made to incorporate security into the product before its release into the market.”

Also, check the manufacturer’s privacy policy. Many smart devices log data that those companies then leverage. Find out if they’ll be monitoring your activity, how they will use that data, and if you can turn off that functionality.

2. Ask for a vulnerability test

Aviran Yaacov, CEO and co-founder of Ecoplant, recommends you request a vulnerability test before purchasing smart equipment: “Essentially, the main vulnerability of IoT solutions is the ability for someone outside your business to hack the system. Therefore, internal monitoring features are essential in detecting if someone from outside your system is trying to access your data.

“In order to ensure that your IoT solution is protected and detects accurate commands, any business owner using IoT needs to ask their IoT provider the right questions to ensure that the solution offers the maximum security. Most IoT providers should share their vulnerability testing with you.”

3. Use a VPN, firewall, and separate network

Never connect a smart device directly to your server. Hopefully, you already use a virtual private network (VPN) for employees, suppliers, and partners in your efforts to prevent cyberattacks. All smart devices should be connected to the VPN to encrypt traffic, or at the very least connect their (hopefully secure) router to the VPN.

If you don’t have a VPN, and yes, you really should, never connect to a device over a public Wi-Fi network. Also, set up a firewall, install antivirus and antimalware solutions, and use multifactor authentication. All these tactics are cyber hygiene best practices that a small business should adopt for all its systems, networking, and applications.

Numerous security professionals we consulted also recommended connecting IoT devices to a dedicated network that only allows access to relevant data. Why let a hacker access your customers’ financial data because you have your CRM on the same network with that pesky smart coffeepot? Keep IoT on a network apart from the rest of your assets.

“Many IoT devices ship with liberal default settings for attackers to exploit. Other manufacturers put in backdoors or secret credentials for factory maintenance and other support,” warns Scott. “The problem is, these secret backdoors don't stay secret, and turn into a path for attackers to enter the target company.

“Never expose an IoT device directly to the internet. Put it behind a firewall, preferably in its own DMZ network, and then use the firewall to monitor and regulate its traffic. Overcome poor IoT security with good topology and diagnostics at the network boundary.”

4. Passwords

If you read many security-related articles, right now you might be saying, “Enough with passwords! When will it stop?” It will stop when we’re convinced you don’t use your birthday or your pet’s name. See. We thought so.

Once again:

  • Passwords should be unique, long, complicated, and mix uppercase and lowercase letters with numbers and symbols. They shouldn’t spell out a cute phrase or your high school nickname.
  • Get a password manager if you don’t trust yourself to create and remember a complicated password for every device and every site/application you access.
  • NEVER use the default password that comes with the smart device. The hackers know what it is before you unbox the device.

5. Know your device footprint

Surprisingly, even for the smallest of businesses, it can be hard to keep track of all the smart devices you connect to your network — especially the ones that you hooked up, used twice, and never touched again. Yes, we know you thought the smart waffle iron in the breakroom was a winner, but who has time to make waffles? When you don’t know what you have, it’s easy to miss a rogue device.

“Business owners need to understand the footprint of their devices,” says IoTeX CEO Raullen Chai. “This means finding out which devices on their network are owned by their business and which aren't.

“A big prerequisite to this is making sure all devices have an identity in the first place, which sounds simple but is a gaping hole in many businesses today. Identifying each device means an owner can drill down and discover fake devices that do not belong and could be malicious.”

6. Regularly update devices

All smart devices incorporate firmware, and you’ll periodically be notified that a new version is ready to be installed. Most likely this won’t be automated, so when you receive that notification, take the time to carry out the update.

“For organizations, this can mean ensuring that IT teams are consistently verifying that IoT devices are up to date with the latest patches,” says Tom Lysemose Hansen, CTO at Promon.

“It also means utilizing software to monitor the behavior of the devices to ensure that they haven’t fallen victim to hackers who are performing tasks outside what is considered ‘normal.’ This is a particular issue with IoT devices that often goes unnoticed unless IT teams are acutely aware of the usual behavior of every device on the network, which is unfortunately not very often.”

When smart devices stop receiving periodic firmware updates, they are considered outdated and should be replaced. A good estimate is every four years or so. Without regular updates to patch vulnerabilities, your outdated equipment becomes a prime target for hackers.

7. Don’t activate every function

Just because a smart device can do something doesn’t mean it should. I love to bark random song names at Alexa, giving her access to my Spotify playlists, but I’m not going to ask her to make an entry in QuickBooks for me.

The same applies to your business. In some ways, less is more when it comes to connectivity in the workplace. A good rule of thumb in cybersecurity is “bare minimum” access. If an employee doesn’t need a database or application to do their job, don’t give them access. Your printer has no need for your financial database, so don’t give it access.

“In order to secure your company's data and network, carefully evaluate each device prior to purchase or deployment,” advises Buxton. “If it's a new display for the conference room, does it really need internet access?

Is there anything about that access that may give an edge to any network attackers? Where is the data stored? If locally, are you prepared to store and secure it? If cloud, what options exist for securing that data (two-factor authentication) or erasing it after it's no longer required?

“Educate your employees about the new device and its workplace impact. It may seem trivial since almost everyone has a smart-something, but most people do not consider the ramifications of misused or leaked data in a corporate environment.”


Are IoT devices the right choice?

That’s probably the wrong question in 2020. It’s really not a matter of if you should deploy smart, connected devices, but more about the why and when. It’s inevitable that, like it or not, you’ll purchase a smart device for your business. It’s important to determine if an internet connection is necessary, and if not, ensure it stays disconnected.

“Since an IoT device has some computational power and can collect and transmit data, pretty much every appliance with such capabilities, from a lightbulb to a fridge to a fire alarm, can be found in a connected business setting,” says Ivan Kot, senior manager at Itransition.

“The major weak point of all connected devices is that they are designed with little or no inbuilt security. However, by implementing proven security practices, IoT adopters can protect their connected hardware from falling victim to hacker exploits.”

In other words, make good choices.

The Ultimate Guide to Building Virtual Teams

Knowing how to build a strong virtual team is more important today than ever -- and there are six critical things you must do to succeed. That's why we've created this ultra-timely 19-page report on what you should be doing now to set your virtual team up to win.

Enter your email below to access our (no-strings-attached) free report, "The Ultimate SMB Guide to Building High-Performing Virtual Teams."

The Motley Fool has a Disclosure Policy. The Author and/or The Motley Fool may have an interest in companies mentioned. Click here for more information.

John Mackey, CEO of Whole Foods Market, an Amazon subsidiary, is a member of The Motley Fool’s board of directors. The Motley Fool owns shares of and recommends Amazon and recommends the following options: short January 2022 $1940 calls on Amazon and long January 2022 $1920 calls on Amazon. The Motley Fool has a disclosure policy.