Internet of Things Security Looms Large for Small Business

by Drew Robb

Internet of Things security creates a formidable, but not insurmountable, challenge for small business. We explore IoT use cases and best practices for addressing IoT security issues.

Almost a year ago, we wrote an article on What the Internet of Things (IoT) Means for Small Business. This follow-up looks at some small business IoT use cases and the challenges surrounding IoT security.

The possibilities for deploying IoT technology appear endless. Companies large and small are either developing IoT tools or installing them in their own businesses to streamline their operations, increase efficiency, and lower costs.

[Download our free IoT Research Brief (registration required): Business and Tech Decision Makers Expect Big Impact from IoT]

Internet of Things Applications: Taking IoT to the Street

Streetline, a "smart parking" company, simplifies parking for customers around the world. It uses sensors and mobile apps to help drivers find empty parking spaces in real time, make reservations, and pay by phone. It also provides analytics that help cities improve parking efficiency.

GridComm, another small business actively involved in making IoT work, helps cities network their street lights using IoT sensors installed inside the street light door. The sensors communicate data about the street lights across the city's power lines. Analytics are also part of the system.

"The system provides information like how many lights are on the network, how much electricity they use, and it tells you when street lights need to be replaced—before they fail," said Mike Holt, CEO of GridComm. "The maintenance team assigned to repair these lights can download their locations to a smartphone."

Further, cities can control the lights far beyond simply turning them on or off. For example, you can optimize the system by setting a dimming level and a precise schedule for individual street lights. A city saves money by not using bright lights when they're not needed

"Street lights are just the start," said Holt. "Once you network the street lights, we can connect thousands of sensors to measure weather, pollution, and traffic. And we can communicate the measurements over the street light control network."

Internet of Things Security

Internet of Things Applications: Environmental Monitoring, Access, and Compliance

Matthew Olan works as the network administrator at Pharmacare Specialty Pharmacy(PSP), a Canadian company that employs about 150 people. His company installed Ubiquiti mFi temperature sensors, motion detectors, door sensors, and wireless security cameras throughout the organization.

"The cameras we have (from Ubiquiti Networks and Hikvision) are wired," Olan said. "We use them for security purposes such as monitoring facilities and recording incidents if they occur."

PSP uses temperature sensors to monitor both the temperature and the humidity in areas such as equipment rooms, server rooms, and in some of the main areas where staff actively work. It also uses RTD PT100 temperature sensors to monitor refrigerated drug storage. The company deploys these sensors across multiple sites.

"It's important for us to know if any fridges go out of a pre-set temperature range specified by our industry's governing bodies," said Olan. "The [IoT] system provides email alerts based on rules we define around temperature, and it also records and keeps data for retrieval as needed."

PSP installed door sensors on access doors to IT equipment areas, as well as on all lockable equipment racks. Olan said they configured the sensors to send alerts to the company's IT helpdesk (PSP relies on Spiceworks Helpdesk) if anyone opens any of the doors. Not only does this alert them to equipment access, it generates a ticket on which the staff member who accessed the area must provide a reason for the access. This acts an equipment access log. If an alert triggers and no one knows who accessed an area, PSP investigates the alert and reviews security camera footage to see who was involved.

"We currently use the Ubiquiti mFi IoT system for monitoring, event notification, and real-time data collection," said Olan. What IoT benefits does PSP reap? "Compliance, security, and cost savings are some of the factors that drive our need for IoT technology."

For example, if Olan's team gets an alert that a fridge is too warm or cold, they can transfer the contents of that fridge, which reduces product spoilage and saves money. It also shows regulators that PSP complies with industry regulations. The old method of manual temperature checks was time consuming, inaccurate, and showed only specific points in time—and nothing about what happened between those points.

Equipment access logs are both a good security practice and required under industry regulations. Normally access can be difficult to track especially when equipment resides on a remote site without a staff presence. IoT sensors on access points can notify Olan's team instantly whenever someone accesses equipment at a remote site.

Internet of Things Security Creates Increased Concern

But with so many ways to connect such a diverse set of devices, Internet of Things security concerns are growing. After all, we are not talking about a few extra avenues of attack into the enterprise. According to IT analyst firm Gartner, the IoT will grow to 25 billion connected "things" by 2020. That includes wearable devices for fitness, as well as the growing number of wearables designed to monitor health. And some employees are connecting these devices to small business networks.

"Many IoT devices, such as smart appliances, wearables, connected medical technologies, and sensors, have little to no security, which makes them more vulnerable to attack than your typical PC," said PSP's Olan.

A just-released Spiceworks IoT survey of small business IT pros found that while nearly 90 percent believe the influx of connected things creates security and privacy issues in the workplace, only one in three organizations is actively preparing for the impact IoT security issues could have on their business.

Two years ago, Spiceworks discovered that small business IT pros considered insufficient bandwidth to be the main barrier to IoT adoption. But IoT security has become the top concern (65 percent), followed by equipment issues (42 percent). Insufficient bandwidth now ranks third (37 percent). Small business IT pros worry that IoT devices offer more entry points into the network and that many lack adequate IoT security measures.

"As the demand to put more IoT devices on networks increase, IoT security concerns are certainly increasing," said Sanjay Castelino, vice president of marketing at Spiceworks.

The survey also revealed concern over the sudden influx of wearables. Spiceworks found that the number of organizations that connect wearables to their network increased from 13 percent to 24 percent in the past two years. Other connected devices, including video equipment, electronic peripherals, sensors, and appliances have also increased in many small businesses. Fifty-three percent of the survey respondents view wearables as the most likely source of an IoT security breach, followed by video equipment (50 percent), physical security (46 percent), and appliances (45 percent).

The Internet of Things

Internet of Things Security Tips

As the volume of IoT devices grows, and as more companies focus on securing IoT, easy-to-deploy tools will become more available. For example Cigital, an application security company, provides services for securing the Internet of Things—from product assessments to program creation.

"Internet of Things security is a key challenge," said Dan Lyon, principal consultant at Cigital. "When businesses bring devices into their networks, the devices may have associated security risks of which the business is completely unaware."

Small businesses, in particular, struggle with this because they often lack the resources to identify and resolve those IoT security risks. For example, many IoT devices include capabilities that remote hackers can exploit to access either the device's data or the business network directly, thus placing the business at risk for a data breach.

Lyon offered the following advice to anyone thinking of implementing IoT devices; do not skimp on cost when it comes to security. While most businesses are unwilling to pay more for advanced security features, Lyon noted that there's an increased cost to the vendor to implement IoT security. Additionally, many IoT devices have long lifecycles and may not receive manufacturer updates for known security vulnerabilities.

His advice: make IoT security and update plans part of your product evaluation process. "IoT opens up many possibilities for small businesses, but you need to balance these opportunities with a solid understanding of the associated risks," said Lyon.

What's the best way to familiarize yourself with the possibilities IoT may hold for your small business? Olan advised: pick up a couple of IoT devices and play with them. Discover what they can and can't do, how to integrate them into your business, and how to keep them secure.

"The best way to understand something is to use it and see what it can do," said Olan. "It also helps to be active in the online communities."

Many IoT vendors—like Ubiquiti Networks—have active IoT community forums where the people who use their systems talk, problem solve, and exchange ideas. These forums provide a great way to see what other people use IoT technology.

The Spiceworks survey highlighted several ways in which small business IT pros are preparing to support IoT:

  • Educating end users about IoT security risks (68 percent)
  • Investing in security solutions (47 percent)
  • Investing in infrastructure (43 percent)

While only 12 percent of organizations currently invest in new management tools for IoT devices, nearly 50 percent plan to do so within the next 12 months. Each area is worth investigating by any small business considering IoT technology.

Above all else though, Olan advised caution when it comes to network access. "We allow certain IoT devices on our network, but we always take security into account first when planning an IoT deployment," he said. "The market is currently plagued by devices with little-to-no IoT security—pushed by vendors eager to capitalize on the hype."

When you think IoT deployment, think security first.

"As IoT grows both in scope and in capability, it will be easier to implement," Olan said. "And we'll small businesses using it in lots of creative, unique ways.

Drew Robb is a Los Angeles-based freelancer specializing in technology and engineering. Originally from Scotland, he graduated with a degree in geology from Glasgow's Strathclyde University. In recent years he has authored hundreds of articles as well as the book, Server Disk Management by CRC Press.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Tuesday Apr 26th 2016
Mobile Site | Full Site