IT Briefcase Exclusive Interview: Internet Connected Devices and Data Protection in SMBs

Businesses continue to see an uptick in IoT devices used within the office, but often times are not taking the appropriate measures to track and secure these seemingly innocuous devices. Andrew Newman, CEO and founder of Reason Software Company, shares his insight on internet connected devices in small-to-medium businesses and how these companies can keep themselves protected from IoT-based attacks.

• Q. What are the challenges SMBs face when using internet-connected devices in the office?

Companies today are beginning to understand that everything they do creates a digital footprint. Every server, mobile device, printer and digital device in the office creates data. Therefore, each and every connection can, if compromised, expose all of that data to hackers looking to steal whatever they can.

This has always been the paradox of the modern workplace – the more we rely on the internet, the more exposed we can become. The Internet of Things is like pouring a spoonful of salt on everything; with the addition of more devices, productivity and efficiency becomes heightened, but the attack surface expands with each new connection.

Nowadays, when you think about your network and what can be a potential attack target, you have to include devices such as internet-ready thermostats and light bulbs in that calculation. The Alexa your assistant bought for the office? She too has the ability to leak data or become compromised under the right circumstances. Even the “smart” office coffee maker that can be set from your phone can also be attacked.

The real issue with the Internet of Things is that businesses are no longer aware of what devices are on their networks, and this lack of insight can be exploited easily.

• Q. How many connected devices does one office usually have?

The average number of devices a businesses has connected to the internet varies, but your attack surface is always in accordance with what is connected to the internet through your network. An SMB owner with about 25 employees would plausibly have a number of servers such as mail, file and database servers, 25 or so user PCs, 6 IP cameras, 2 printers and a VoIP phone system. The attack surface covers all these entry points, and the more devices connected to the internet, the higher the risk for an attack. Until recently, it was relatively easy to keep track of what was running on corporate networks and what was not. The Internet of Things has made it so that many businesses aren’t even remotely aware of the vast number of devices running on their networks.

• Q. How frequently are you seeing hacks and breaches that stem from unprotected IoT devices?

Attacks on unprotected IoT devices are beginning to occur with greater frequency and are positioned to continue to grow in number. Last November’s shocking Mirai Botnet attack took down the servers at DYN for half a day, effectively knocking out half the internet on the East Coast of the U.S. Mirai exploited vulnerabilities in internet-connected cameras, some of which were in use at businesses. This one example shows how powerful these attacks are, even attacks that are not complicated in nature. As researchers continue to demonstrate through POCs, or proof of concepts, everything from connected cars, to refrigerators, to mobile speakers and wireless headphones, and now, even light bulbs can be attacked and controlled by outside forces. IoT devices often have passwords coded directly into the software or lack encryption altogether because these devices are built to get products to market quickly, before the competition, and are effectively not being built with security in mind.

• Q. As attackers become more and more resourceful, which channels will most likely be targeted next?

Part and parcel of being a hacker is being able to change methods on the fly. As soon as one attack vector stops working, a smart attacker will pivot to the next.

Internet-connected devices are that next frontier. Whereas your smartphone or laptop was the infection vector of choice in 2016, by 2018 IoT devices, like smart water coolers and electricity meters, will become the infection vector choice du jour.

Looking back at some of the past IoT attacks, if business owners or IT teams been more aware of the fact that internet-connected devices are just as integral to corporate networks as company laptops are, these devices may have been more prominently on their radar. IT teams perform network audits to check that their connections are consistently secure. They have security tools on their endpoints. They have firewalls surrounding their perimeter. What they don’t think about is the internet-connected water filter that monitors office water flow to keep office bills down. This is where the attackers of tomorrow are going to hit.

• Q. How do tools like Reason IoT Security help these businesses?

Tools like Reason IoT Security scan the entire network looking for vulnerabilities in connections and alerts business owners to their presence. They also explain step by step how to remediate those holes once they are foun

• Q. What can businesses do to proactively protect against IoT-based attacks?

The key to getting ahead of attackers is to make sure there is increased awareness of IoT connections and devices. These devices need software updates, passwords changed and the same level of oversight as any other connection on an office’s network. In addition, before connecting any new device, consider the practicality of it for the office. If a device has a clear and necessary benefit to the office, such as an internet-connected physical security system that monitors the facility 24/7, then the benefit outweighs the risk, and this is a fine device to install. Any IoT device that is frivolous in the office, like an IoT frying pan to grill steaks for the team, are best left at home where it cannot put the company at risk for a major botnet attack.

The volume and scope of IoT-based attacks are likely to get worse before they get better. SMBs can set simple precautionary measures within their organizations and IT departments to ensure each and every device on their network is protected, protecting time, data and money that could otherwise be lost in an attack.

Andrew Newman is the CEO and founder of Reason Software Company, creators of Reason Core Security Anti-Malware. He has been in the malware research and information security field for over 20 years, during which he served as Lead Security Program Manager at Microsoft and founder of GIANT Company Software which was acquired by Microsoft.