The security cameras at your office are recording and transmitting what they see inside and outside your building, but they’re doing something else, too. Their computing power has been harnessed into a botnet slave group that’s in the process of attacking a target website.
The barcode scanner guns you use to manage warehouse inventory save lots of time as they wirelessly update your database. Unbeknownst to you, a hacker is trying to use it as a portal to your network.
Your staff use their webcams for online meetings with a client about a top secret new product, but little do they know, they’re being spied on and their competitive advantage has been compromised.
These are all examples of how you can open up your business to a whole new realm of risk when unsecured devices are connected to your network.
Smart Devices Not Built to Be Secure
Without a doubt, the Internet of Things (IoT) has provided efficiencies and new capabilities for businesses, but most people don’t realize that not everything that they’re connecting to their network should be securely monitored and managed like servers and workstations. The root of the problem is that these devices aren’t as smart as we think they are. Many aren’t built to be secure and that’s pretty dumb.
For the sake of mass production and low costs, many manufacturers have been using low quality hardware along with low quality or even outdated operating systems. They’re selling devices that come with default passwords that can’t be changed, or users never realize that there is a password that can be personalized. The result is a huge security and privacy gap that California lawmakers want to close with a new law that was signed by Governor Jerry Brown on October 3, 2018.
California Law Aims to Improve IoT Security
California SB-327 is the first law in the US to require manufacturers to build security features into products that connect to the internet. By January 1, 2020, If the smart device includes a password, the password must be unique to the individual device. Additionally, the user should be able to change the password, and even be prompted to change it before the equipment can be used. These measures are intended to stop outsiders from accessing connected devices and the networks to which they are connected; prevent them from causing damage or injury by modifying how the device is operated; and protect confidential information.
Critics of the law are saying that it doesn’t go far enough but it is certainly a step in the right direction. As a managed IT service provider, we already take the precautions that we can to limit access to data and systems. The stance we have to take is more reactive than we would like in some cases but there isn’t any other alternative right now. The problem is going to persist until the devices are designed better and since this law doesn’t come into effect for over a year we need to do what we can to limit risks.
Best Practices to Limit Risks
Our advice to businesses is to know what is connected to your network and to have a multi-layered security strategy. Manage your network with industry and cyber security best practices so that you can control access to your data and systems. Create and maintain policies that give your employees the education and guidelines they need to decrease risk as they are using connected equipment.
Wondering if your network and systems have gaping security holes? Call us to schedule a Cyber Security and Risk Assessment.