Insurers and commercial policyholders need to understand the cyber risks involved every time a new device joins their network, said Sam Shea, creative director at Socotra. (Credit: Elnur/Adobe Stock)
According to Transforma Insights, Internet of Things (IoT) devices have permeated our daily lives, with an estimated 14 billion connected IoT devices worldwide. From smart thermostats and refrigerators to connected cars, it's difficult for him to go through a day without interacting with IoT devices, especially considering that most people carry them around in their pockets or bags. But in the era of connected living, these devices can pose serious cybersecurity risks for insurers and their commercial policyholders.
Sam Shea, creative director at Socotra, said: “Twenty years ago it would have been unthinkable for a refrigerator in an employee break room to leak customer data, but now it's a very real possibility.'' It's a threat,” he said. ”[It] It doesn't matter how “smart” or “stupid” the appliance is. Anything connected to your network via Wi-Fi poses a significant threat. ”
Hackers have stolen IoT devices in the past, wreaking havoc on individuals' lives and entire countries. In 2017, a cybercriminal manipulated the firmware of over 465,000 implanted pacemakers, allowing him to drain pacemaker batteries, steal sensitive data, and change life-saving settings. A year later, the Mirai botnet disrupted internet access in various countries.
IoT device risks
Many IoT devices are untracked, poorly managed, and unmonitored, writes the Security Scorecard. Coupled with the rise of weak passcodes, botnets, and AI-based attacks, property and casualty insurers and their commercial policyholders become even more vulnerable each time an IoT device enters their premises. CompTIA investigated the cyber risks of his IoT devices and found these to be the top four.
- Data theft: Unauthorized access to personal information, such as name, social security number, health ID number, phone number, user account, or home address.
- Service disruption: Using an IoT device (or devices) to render critical infrastructure, such as databases, water systems, or power generation dams, unavailable.
- Service or Data Manipulation: Adjust the settings of an IoT Device to make the Service unavailable, cause physical harm to users, or damage the Device or other devices.
- Non-compliant: Modifications to IoT devices that violate government privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the European Union General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA).
“Default password threat”
A few simple changes and protocols, such as changing default passwords, can reduce cyber risk for IoT devices. Many IoT devices are installed with default passwords that are never changed. An organization called Global Information Assurance Certifications (GIAC) has thoroughly tackled the “default password threat,” stating that the default passwords still used on built-in accounts are easily accessible, allowing hackers to compromise secure systems. He pointed out that accessing the information often does not require complicated methods.
Default passwords are user and password combinations used in software, databases, operating systems, or IoT devices such as security cameras or smart plugs. These passwords are published online, in vendor handbooks, and other open sources. The SANS Institute recognizes default passwords as one of the top 10 cybersecurity threats. Fortunately, you can reduce your cyber risk by using new, strong passwords.
IoT cyber risk mitigation
In addition to updating default passwords, CompTIA helps you connect IoT devices to secure networks with strong, unique passwords, adds firewalls to corporate networks, and limits the privileges allowed to devices. We recommend that you do so. For example, smart light bulbs and refrigerators may not need access to your contacts.
CompTIA says insurance companies and commercial enterprises can strengthen their IoT cybersecurity by taking these steps.
- Increase device monitoring with security information and event management (SIEM) and intrusion detection systems (IDS).
- Enhanced security features that encrypt data at rest and transmission.
- Add authentication to control network connectivity for IoT devices.
- Compliant with National Institute of Standards and Technology (NIST) IoT and ICS standards.
Related:
