• Unsecured IoT devices present an open backdoor
As organisations increasingly embrace the IoT to enable “connected business” and achieve efficiencies, concerns about the security of IoT devices are coming to the fore.
Badly configured devices are not just vulnerable themselves, but could present hackers with an open backdoor to corporate networks. The use of inadequately protected consumer BYOD devices to control IoT devices adds to the problem.
The industry needs to do a better job manufacturing devices with proper security, but the limited processing power of many low-cost IoT devices and the difficulty of patching them will make this a challenge.
In the meantime, isolating IoT devices in segmented networks with boundary protection and monitoring measures in place can help safeguard corporate assets.
Businesses can also require device vendors to provide appropriate support and patching processes.
• SMBs find themselves in the crosshairs
The focus of cyber attacks is expected to shift dramatically to small and mid-size businesses (SMBs) in the coming year.
Without the same level of protection as big enterprises, SMBs are attractive targets for cybercriminals, even if potential payouts are smaller.
Banking fraud and scams now more commonly target smaller banks, while point of sale theft is shifting to smaller businesses as big retailers have upgraded their systems following high-profile attacks.
Start-ups establishing infrastructure on a budget are particularly vulnerable, since they may be leveraging the cloud and mobile devices without adequate security strategies.
SMBs can go a long way to improving security simply by following the basics. These include anti-virus/anti-malware on all devices and network-level firewall protection, which can be cost effective., along with a monitoring strategy to quickly detect when a breach occurs.
Regular user education is also a must. Most breaches can be traced back to someone making a mistake that could have been avoided.
Even organisations with good security systems in place will need to shift their thinking in two areas to ensure their networks remain protected in 2015.
First, companies should assume they will be breached and therefore should deploy robust monitoring systems to detect and respond to issues. Prevention is no longer enough. Even so, security threats evolve through incremental change.
Organisations can monitor these changes and enhance their defences as required. It takes time to launch a cyber attack, so it is possible to gather insights by paying attention at the attack preparation stage and therefore to prepare in advance.
Second, companies now need to treat assets inside the network as if they were on the outside. Consumer BYOD devices and IoT infrastructure in particular demand better controls, more complete threat management and constant event monitoring.
On the flipside, it is now possible to create a public cloud with sufficient protections to allow the same security as legacy systems.
In the connected world of 2015, the threat of a cyber attack is now greater than ever. However, there is much that company directors and their information security officers can do to mitigate the risks as threats evolve.
Continuous investment in information security and ongoing security education cannot be avoided.
By Jason Porter - VP, Security Solutions, AT&T Business Marketing