IEEE comments on cybersecurity test fund

Businesses rely on enterprise IoT devices to increase productivity and enable hybrid working. These smart devices collect sensitive data, which can be accessed by other users, making them an attractive target for cyber criminals to exploit.  With organizations now able to apply for up to £200,000 of Government funding to support research into the cyber security of office devices which connect to the internet, we ask IEEE’s (www.ieee.org) Steven Furnell, senior member and professor of cybersecurity at the University of Nottingham, and Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, for their views on how the evolution of IoT technology and smart devices are impacting on enterprise security.

“IoT devices have the potential to collect and access a large amount of personal information about users and sensitive data relating to their environment.  Devices are often linked to the accounts that consumers use on other devices.  The difference is that on these other devices they are more readily protected against unauthorised use.  On the smart device people may set them up initially and forget that they are essentially ‘logged in’ all the time.  Added to this, people are often less mindful of the security risks posed by IoT devices, as they do not necessarily think of the devices as storing and communicating data in the same way as traditional computing devices,” says Furnell.

“Most IoT devices are not doing any ongoing checks on who is using them, they are set up and can then be controlled equally by anyone, albeit maybe with a password or PIN required to get into the ‘Settings’ menu.  However, introducing a check each time someone wants to do something would not be possible if we rely on traditional methods.  Biometrics open the door to making the checks in a friendly and tolerable manner, with the potential for seamless transitioning between users of shared devices.”

“IoT devices can provide an easy way into an enterprise’s network, especially with a BYOD culture in place.  With more devices there are more endpoints, and this could lead to a chain-attack which has catastrophic consequences.  Organizations need to ensure they deploy IoT devices with sufficient security policies in place, such as firewalls and intrusion detection and prevention systems, but they also need to ensure they cater for the confidentiality of their customers' data. This is where encryption plays a core role.  Of course, all devices need strong passwords, but it is also good practice to enforce certificate-based authentication which identifies communicating individuals and authorised devices,” adds Curran.

“Many of the steps in securing IoT activities are similar to security within the larger enterprise system.  However, organizations need to be aware that privacy issues can arise due to their IoT data collection mechanisms which may lead to user profiling and identification of individuals in unforeseen use case scenarios.  The greatest care needs to be taken when deploying data collection devices with regards their lifecycle, data collection mechanisms and overall security protocols.  While devices may have some protections built-in, products with poor cyber security can leave companies using them at risk, particularly as more and more data is being collected. Adopting a multi-layered security strategy is often best practice.”

Further detail about the cybersecurity test fund can be found at www.gov.uk/government/news/up-to-200000-available-to-test-security-of-smart-devices-used-by-nearly-all-uk-businesses