Security Is Key to IoT Profits
THE SOOTHING VOICES OF SIRI OR ALEXA make most people feel like they’re dealing with trusted companions. But neither of these disembodied representatives of the Internet of Things (IoT) are always true friends to managed service providers (MSPs).
That’s because when these virtual assistants open doors to the convenient array of devices and applications in the IoT they can also lay out the welcome mat for hackers, letting them breeze past all the carefully constructed firewalls, anti-virus updates, and other security measures MSPs put in place to protect their clients.
Consider this case in point: At a medical practice with more than 100 people on staff, a cybercriminal infected the whole network with ransomware, including desktops, servers, and laptops, without using a phishing scam to gain entry. Instead, the hacker broke in through the one device that was set up specifically to protect the medical staff from thieves: the security camera.
The practice had contracted with a security camera vendor, and the camera ran on software that the hacker was able to infiltrate by using a password cracker and logging in as the IT administrator. At that point, the cyberthief had access to everything in the practice’s IT network, making it easy to spread the ransomware and encrypt the whole system.
Fortunately, the medical practice’s MSP was able to restore the network, rebuilding all the servers with backups. The process, however, was time consuming. It took the better part of a week to restore the data and return the system to full functionality for the staff.
With a breach of this type, an MSP could potentially spend hundreds of hours—often unbillable—to restore a network. That means the service provider could not only lose money while engaging in the restoration process for one client, but also miss out on doing billable work for other clients.
At this particular medical practice hackers targeted the security camera. But what about all the other vulnerable devices in the healthcare setting? Hospitals and medical practices have diagnostic equipment like ultrasounds, mammograms, and MRI machines that are not part of their normal network security. The healthcare industry isn’t the only one at risk either. IoT devices are being embedded into a variety of businesses—smart alarm systems, wireless music, and thermostats, to name a few. Increasingly, companies are installing Siri or Alexa and other IoT devices on their own—and none of those devices are being managed by the MSP!
To protect their clients—and their own bottom lines—MSPs must educate customers about the security risks of the IoT sector, which is expected to grow to 20.4 billion devices by 2020. Clients need to understand that even though MSPs can protect networks with firewalls and anti-viral software, they remain vulnerable to hackers who slip in through IoT devices sitting outside the network. Essentially, it’s as though companies are securely locking their doors, but leaving their windows open at the same time.
IoT Needs SRA—and VPN
In order to profit and not perish in the IoT ecosystem, MSPs need to take a multipronged approach to cybersecurity. Besides helping clients engage in employee education and prevent phishing scams, MSPs should also offer to:
- Conduct a rigorous security risk assessment (SRA)
- Create a virtual private network (VPN) and use two-factor authentication
- Install an account lockout protocol and develop tough password controls
A security risk assessment is a powerful weapon against cyberattacks, because it requires a thorough inventory of every place in a business where data is stored or transferred, as well as any point where it is vulnerable. Before the explosion in IoT that assessment would cover items like mobile phones and laptops along with desktop equipment. Now, however, it also extends to a whole gamut of “things” ranging from smart devices for home use to energy monitors and remote printers in commercial enterprises.
While all the new IoT gadgets must be checked for potential security vulnerabilities, it’s also crucial to deal with the host of legacy equipment still in operation. For example, because of cost considerations or compatibility issues, some medical facilities continue to depend on MRI machines that run on Windows XP. Any device operating on outdated software creates the risk of a data breach, especially when security patches have not been updated.
Creating a VPN enables clients to migrate to a technology that provides an encrypted, private connection over the top of a public, less secure network. Companies should be using a VPN for remote access. In the case of the hacked medical practice, the security camera was outside the firewall of the protected network, instead of being inside the safety of a VPN. Using two-factor identification—like the temporary code sent to a cell phone when doing online banking—adds another layer of protection to the VPN, and MSPs should encourage clients to take advantage of it.
out protocols prevent a hacker from getting into a system after a certain number of tries. That tool stops a “brute force” attack by cyberthieves who use password crackers to keep trying an infinite variety of passwords until they break the code. Training clients and their employees to develop strong passwords creates another line of defense. If the medical practice had installed account lockout technology it could have prevented the hacker from breaking into the active directory, even if the security camera software itself was breached.
By promoting any of these solutions, MSPs will demonstrate to their clients that when it comes to the mushrooming IoT, security is the most important thing.
ART GROSS is the founder and CEO of Breach Secure Now! and HIPAA Secure Now!. Both companies provide data breach prevention services for medical practices, and small and medium-size businesses. Breach Secure Now! serves the MSP channel exclusively. Gross is also CEO and co-founder of Entegration, a managed service provider.
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.