Constant development of technology, as well as ever lower prices of sensors and smart devices, has resulted in news about the IoT (Internet of Things) on a daily basis. However, we still aren’t living in the IoT world with full capacity for several reasons – from the lack of IoT professionals, small business IoT case studies which would persuade as many small business owners as possible that digital transformation is needed, all the way to old habits which people find difficult to break.

IoT still hasn’t introduced automatization into our private lives as much as it was expected, but its industrial usage is increasing every day. Naturally, every serious business is going to conduct a SWOT analysis prior to the decision about digital transformation. A part of the analysis dealing with threats (T) certainly includes safety, which has been one of the burning issues in the IoT community for years.

Even though people are much more emotional when it comes to the possibility of abusing IoT solutions for their personal needs, it can’t be denied that companies are paying attention to this issue, too.

The main problem lies in the complexity of IoT system security. The devices are vulnerable on their own, as well as the system as a whole; there are lots of potential oversights, and a person who could abuse all of these could do it from anywhere in the world via the internet, or even come from a country in which there are no legal consequences for such acts.

Threats

In short, threats abound. Starting from the ones envisioned in popular culture, such as the Black Mirror episode where IoT bees were hacked to kill people, to those which we have already witnessed, like hacking devices with the purpose of bitcoin mining, or stealing the data. Either way, the most common cause of a potential attack in industrial IoT is corporate espionage.

The main aim of espionage activities is either to provide information which will make the competition stronger in the market, or to harm your business in such a way that you will no longer be competitive, or even be forced to shut down the business. In this sense, the most common activities are the following:

Recording the employees

Of course, this is possible only if your devices can perform video or audio recording. Another issue is that employees could be quite uncomfortable about someone watching their every move. Basically, video or audio recording of the employees is not that dangerous on its own, unless we’re talking about revealing business secrets and operations or using it for blackmailing the workers.

Data theft

Data theft is the most common case of abusing vulnerable IoT systems. There is just too much important and confidential information which could help the competition to gain the advantage in the market: the employee structure and their salaries, client contracts, business operations, technologies, confidential data, and so on.

Nevertheless, even though your competitors are the only ones who are interested in the data, that doesn’t have to mean they are the ones who have hacked into your system. It so often happens that hackers get into the system through the places which were poorly protected, and then sell the information to your competition, or blackmail you to prevent this.

Abusing your resources for their needs

I already mentioned hacking devices to perform bitcoin mining. Even though this is not too big a threat to your business, it still wastes your resources, which makes it worth mentioning.

Stopping your business

By hacking into your system someone could control your devices, and the possibilities are endless; from switching the devices on and off, to their blocking, slowing down, or even stopping the total functioning of your business. Also, DDoS attacks can disable your devices and stop them from functioning normally. Once again, the potential attacker can be your competitor, or someone asking for money in order to end the attacks.

A higher level of espionage?

Naturally, all these methods don’t have to be limited only to the corporate level, as they can apply to private and country levels, too. Most of the future wars and international conflicts will take place in the fields of technology. Whoever wins the technology race will probably win the war, too. We already have examples (or at least suspicions) of such acts.

And with the increased IoT usage, e.g. smart cities, the probabilities of such exploitations will be even greater. Imagine how much damage could be made if someone decided to paralyze the functioning of entire cities in one country.

For this reason, it is little wonder that security is one of the most current topics in the IoT world. The fact that potential threats don’t originate from competitors or an enemy state, but from enthusiasts (hackers) who see this as a way of earning money, tells us that we cannot be certain where the threat comes from. This is precisely why safety measures have to be of the highest level, and no matter how big the security investments are, they are always much less than the damage which could be caused as a consequence of such undesirable events.

Security best practices for employees

The first step towards avoiding potential security breaches for any business is making sure the employees are well-informed of security best practices, considering the fact they have access to business data and information.

Once employees are informed, they can take security measures themselves, not leaving the task entirely to the security team. The following steps can be taken to properly equip employees with the right knowledge regarding theirs and the business data and information at large:

• Conducting regular security-enlightenment sessions for the employees: This serves to equip employees with the right knowledge about data security.
• Activating firewalls and 2-factor authentication.
• Ensuring all employees’ IoT devices are well-equipped with the right security software: In and outside the organization, employees should be mandated to have the right antivirus software set-up. If VPNs save the day for the organization, the employees should have the VPN best suited for their particular device setup -- this could be VPNs for MacBook, VPNs for torrenting, VPNs for Kodi, VPNs for Streaming Netflix, and so on. However, finding the right VPN that is serious about your security, doesn't log and doesn't request high-risk app permissions is often the difficult part as a recent study by security firm CSIRO found that a lot of VPNs can't be trusted. It's important to study, review and compare some of the high-rated VPN service providers like NordVPN and ExpressVPN amongst other great VPNs after you consider these factors. The VPN you plan to subscribe to should have proven over time to be efficient and safe in terms of security, speed and user data.
• Regulating the information and data employees can access with their personal IoT devices.

Once these measures have been put in place, the organization should also have a timely security assessment and reviews put in place because data security is a continuous practice, not a one-off task. These reviews will help the organization take note of and fix weak spots and vulnerabilities.