IoT is advancing at full speed, what do we do about cybersecurity?

The expansion of the Internet of Things (IoT) seems to know no bounds. Suffice it to say that IoT devices account for 54% of the 21.7 billion currently connected and are expected to exceed 30 billion by 2025, equivalent to about four devices for every person. The fields of application include wearables that monitor physical activity, but also agriculture, automotive industry, health, industry, education and home automation.

As IoT devices become widespread, the threat of attacks bycybercriminals, saboteurs, hacktivists or even government organizations spreads too. According to Gartner, 45% of organizations will experience a supply chain attack in the next two years, while 60% of SMEs experienced a cyberattack in the last year. Small businesses, which create about 50% of jobs in most economies, saw a 424% increase in cyber breaches last year.

The potential damage is enormous. Statistics from the National Cyber Security Alliance show that 60% of companies that have suffered a data breach close within six months. The cost of cybercrime is expected to reach $10.5 trillion by 2025.

Healthcare, financial services, retail, manufacturing, education, utilities, infrastructure, and government are sensitive targets for a variety of reasons. Security Magazine reported that one-third of healthcare IoT devices present cybersecurity risks and at least one of every two devices in hospitals have some vulnerability.

Not surprisingly, according to Statista, the IoT security sector has experienced significant growth, from 15.3 billion euros in 2021 to 18 billion in 2022. However, “these statistics have not motivated all companies to implement a cybersecurity plan,” Cristina Dolan, a computer engineer and cybersecurity expert, explains to Bankinter Innovation Foundation. According to her, “companies that do not manage their digital assets run the risk of losing customers, financing and capital, and it is difficult to recover from the loss of reputation”.

The truth is that the biggest threats come from the habits of users, who should (at least) make sure to change default login credentials, separate the network where IoT devices connect from the one they use for work, constantly update the device (software and firmware), set policies so that some devices cannot access more sensitive and critical resources. In fact, Dolan warns that “with the widespread use of AI with generative and predictive capabilities based on learning from password leaks, tools such as PassGAN have progressed, and can guess 51% of passwords in one minute, 65% in one hour, 71% in one day and 81% in one month.”

“Citizen education in cybersecurity and security is of utmost importance, especially for the most vulnerable segments of the population. People spend on average 3 hours and 15 minutes on their phone every day and 49% of users open an app 11 times a day, use 10 apps per day and 30 per month. Mobile devices account for a large percentage of digital fraud, and the average user does not have sufficient knowledge to protect their data,” warns the expert.

Dolan also adds that, “unless users start taking cybersecurity more seriously, the risks will not be manageable.” Nor is it a generational issue: “while millennials are tech-savvy and make up the largest generation in the workforce, they tend to be less aware of their cyber risks.”

Many network-connected devices, from smartphones to surveillance cameras to automobiles, collect information on an ongoing basis. Some data is collected with some level of consumer permission with the expectation of better services, lower insurance premiums, or active location services. But users are often unaware of the potential threats.

In addition to basic cyber hygiene recommendations, such as continually changing passwords, better if they are long and complex, and not sharing them, there are several technologies that help protect users. For example, reasons Dolan, “there is multi-factor authentication (MFA) that uses verification codes that are sent via SMS messages, emails or special mobile authentication apps that are a simple way to add an additional layer of security when available.” On the other hand, she adds, “the Fast Online Identity Authentication (FIDO) method allows authentication through a combination of hardware, biometric scanning, such as a fingerprint or facial recognition, and a private key.”

If the average citizen is the target of phishing emails, malware (botnet) and social engineering scams, from the point of view of organizations, Dolan explains, “backdoors in corporate devices are not the only avenue for unauthorized access to data, in fact, insider threats are probably the most dangerous. Employees, but also contractors, suppliers and third parties, often have greater access to confidential information. Therefore, restricting information as necessary, as well as monitoring user activity, implementing robust security policies and procedures, and providing ongoing security training is vital to reducing risk.”

Research by Statista shows that 33% of companies that have adopted IoT consider cybersecurity issues to be primarily related to a lack of qualified personnel. For its part, Stanford University has estimated that 85% of all data breaches are caused by employee error. In this regard, Dolan assures that “cyber education is the most powerful deterrent to cybercrime and more and more companies are providing security training to their employees, but hackers are getting more and more creative”.

Regulators around the world are raising the bar for cybersecurity and data protection, which is increasing awareness at the highest levels of organizations. In any case, the expert qualifies, “they must proactively monitor their networks for potential threats and vulnerabilities in real time, rather than waiting for an incident to occur.”

There are many technologies that offer effective tools for defense, such as firewalls, anti-malware software or intrusion detection and prevention systems. In particular, Dolan advises implementing “network detection and response (NDR) systems to monitor network traffic and identify suspicious behavior or anomalies; security information and event management (SIEM) solutions that provide real-time monitoring of security incidents; endpoint protection tools and user and entity behavior analysis (UEBA) to identify anomalous or suspicious activity. But, above all, he says, “awareness and education are the most powerful tools to reduce cyber risks“.