Right now millions of new “things” get connected online every day – from toasters and heart monitors, to cars and light bulbs.
The mass adoption of devices with multi-layered connectivity has been badged the Internet of Things (IoT). Just to give that some perspective, here’s what we know:
• The world’s population is projected to reach nearly 8 billion people by 2020 – and much of that population will have several smart devices in the home.
• But many of these connected products are likely to have weak security and controls, creating points of weaknesses in users’ critical private networks, systems and data.
• Right now, there is little to no consistency in how all these “things” connect to the Internet – be it wi-fi, Bluetooth, RFID and so on.
• A seemingly non-critical device within the network of “things,” such as a simple fitness bracelet, can be leveraged to access other systems or more critical devices within the same network.
While we’re not directly producing IoT “things,” we work with companies and organisations that do. So we’ve adopted a mindset that any product poses the potential for a threat of fraudulent activities. But there are a few helpful guidelines below that can be shared with clients and customers alike.
1. Access to systems should require more than just credentials. Businesses should leverage cyber-intelligence and complex device recognition solutions to help prevent unauthorised access.
2. Designate who has access to systems and clarify why they need it. It is also important to understand the normal access behaviour of who is logging into these systems, so that when anomalies occur, immediate preventative action can be taken.
3. Clearly outline roles and responsibilities in terms of access monitoring. This can be segmented by factors such as channel or line of business.
4. Share intelligence across the consumer and enterprise side of your business. Many businesses have strong authentication requirements for their consumers, but most data breach activity happens as the result of employee credentials being compromised and used to gain access.
5. Partner with providers that have been successfully solving the account takeover problem. The concerns and vulnerabilities of account takeover problems in the digital realm using fit-for-purpose technologies are similar to the concerns and vulnerabilities in the world of the Internet of Things.
6. Apply robust privacy policies and practices. Doing so will ensure that the data they are collecting is actually required for the services they offer, and data collection practices are easily understood by the consumer.
7. Any collected data must be treated as highly sensitive information. It’s important to note that even seemingly uninterested data can be used by fraudsters to build robust and accurate stolen identities, which can be used for online impersonation, social engineering, phishing attacks and more.