How can the financial sector safely use the IoT?
By Sunil Ravi, Chief Security Architect at Versa Networks
The Internet of Things (IoT) has become one of the most popular tech trends. But connected devices can create cyber risk unless properly managed. We ask Sunil Ravi, Chief Security Architect at Versa Networks, how the financial sector can best make use of IoT without creating unnecessary cyber risk.
What is IoT, and how is it being used in the financial sector?
The Internet of Things is a blanket term for any device with network connectivity, covering everything from industrial sensors to consumer gadgets. The technology has proven to be extremely useful for automation and data collection, and the number of IoT devices has exploded over the last few years. Telecoms giant Ericsson for example estimates that there will be more than 1.5 billion IoT devices with cellular connections by the end of this year.
The technology isn’t as critical for financial services as it is in other sectors like manufacturing and energy, but there are still many valuable use cases for deploying connected devices. Retail banking is perhaps the clearest example. IoT technology enables banks to furnish their branches with terminals and sensors to provide better customer support and track the performance of equipment like ATMs. Insurance firms can also install IoT sensors for services usage-based-insurance or pay-as-you-drive policies.
What are the security issues with IoT?
The greatest risk with IoT is the fact that it rapidly expands the company’s IT estate – and therefore its attack surface. Each new connected device represents a potential attack path for threat actors to discover and exploit. This has been exacerbated by the popularity of household IoT devices aimed at consumers. Combined with remote working, the line between personal and corporate networks is more blurred than ever. In many cases, threat actors can exploit the vulnerabilities of an IoT device and laterally move across the network to compromise more valuable assets.
This has become trivially easy for cyber criminals, with automated scans quickly identifying exposed devices connected to the Internet. From there, attackers will look for issues like unpatched vulnerabilities or weak security policies that will let them jump into the main IT network. Once this is achieved, they are free to start executing standard attack tactics such as data exfiltration or ransomware deployment.
Common issues like unpatched devises and unmonitored network traffic make it even easier for threat actors to find and exploit connected machines without being noticed.
IoT is often said to have put performance ahead of security. Is that still true?
IoT is a fairly new field to the IT world. Vendors are still in the process of understanding the threat landscape, and therefore often do not fully appreciate the potential risk of these devices, which results in security usually taking a backseat in IoT design.
The general level of device security has improved somewhat more recently, but it’s normal to find that products are still lagging behind more standard IT hardware. Common issues include lack of adequate protection for network traffic and data, and poor accessibility for users to manage critical areas like passwords and updates.
The situation should improve in the next few years thanks to new IoT security regulations. The US for example launched the IoT Cybersecurity Improvement Act of 2020, the UK and EU are among other markets working on laws.
In the meantime however, organisations need to be cautious when selecting IoT devices and do their due diligence in checking for security functionality and any known issues.
What can financial organisations do to manage IoT security?
Even the more secure IoT products represent a level of risk, and firms will need to ensure these risks are balanced by the right security measures. But of course, this is true of most new business investments, and few sectors are more adept at assessing risk than financial services.
However, balancing security and performance can be a challenge. Financial firms cannot risk having something like an unsecured customer service terminal connected to their network, but complex or rigid security measures will also render the device ineffective and ultimately impact ROI. Cost is also an important consideration, especially when a large number of devices are at play. If a company has hundreds of devices, managing each one manually becomes a colossal task.
A new model known as Secure Access Service Edge (SASE) provides an effective solution to these challenges. This approach converges multiple network management and security functions into a single service that can be delivered entirely through the cloud.
SASE is designed to integrate security and network performance, making it easier to perform key functions like monitoring network traffic and restricting access without impacting network speed. This combined approach also means that data no longer needs to pass through multiple virtual network functions (VNFs), helping to increase connectivity and reduce lag. SASE can also be used to deliver network segmentation, creating a barrier between network areas. With segmentation in place, even if an IoT device is compromised, attackers will be blocked from moving into the rest of the network. A cloud-based deployment also means that all devices on the network can receive the same level of security, covering even the largest IoT suites.
Financial firms still need to do their due diligence in selecting reliable products and ensure they have followed best practice around password security and patching. Taking these steps will drastically reduce the risk exposure created by new devices, while SASE provides a powerful second line of defence against any criminals seeking to exploit IoT in their attacks.