IoT Security: Why Encryption is No Longer Enough

Earlier this month, a bipartisan group in the U.S. Senate announced plans to introduce legislation that addresses security vulnerabilities in IoT devices used by the federal government. The measure includes four prerequisites for any IoT device used in the public sector:

• Devices must be patchable
• Devices must meet industry security best practices
• Devices must have changeable passwords, and must not be deployed with default passwords
• Devices must not have any known security vulnerabilities

One of the sponsors of the proposed legislation, Sen. Mark Warner, told Reuters that these relatively obvious mandates point to a broader concern: Many providers fail to meet the basics. From the article:

"’We're trying to take the lightest touch possible,’ Warner told Reuters in an interview. He added that the legislation was intended to remedy an ‘obvious market failure’ that has left device manufacturers with little incentive to build with security in mind.”

Whether or not the bill passes is up for debate, but the introduction of the legislation suggests – if not confirms – that security concerns have risen to the highest level of visibility. With IoT moving from novelty to a nearly non-negotiable aspect of business in almost every industry, security is becoming top of mind for an increasing number of businesses.

It wasn’t too long ago that questions about IoT security began and ended with, “Do you use encryption?” If the answer was yes, a select few would follow up with, “What kind?” And it was on to the next topic. That’s no longer the case. Because of high profile security breaches, organizations are increasingly security-savvy and demand more information about how their most critical information is being secured.  And rightly so.

When working with an IoT provider, here are critical questions you should be asking:

• Are default user names and credentials changeable? They have to be. There’s just no way around it (and clearly, the sponsors of the aforementioned bill agree).
• How easy is it to disable services and functionality we don’t need? You never want more potential openings for hackers to exploit, and leaving unused functionalities open offers access. It’s like leaving a door you never use or pay attention to unlocked.
• How user-friendly are data lifecycle tracking capabilities? This is especially important in regulated industries like financial services and healthcare. Knowing what data you have, where it’s going, where it’s been, and how long it’s been there is critical to keeping only the information you need. The worst kind of breach involves data that should have been removed and wasn’t.
• How is the device updated and how often? Hacking methods aren’t stagnant. Criminals are continuously refining the methods by which they’ll try to steal your data. It’s important to know how committed your IoT partner is to making security updates that protect your most important information against the latest threats.

Security concerns aren’t going away – make sure your IoT partner has your best interests in mind. Learn how KORE can help you securely launch and manage your IoT application.