Securing IoT Part IV: Humans

Posted on

Human error is the greatest security risk to IoT, often due to oversight or a lack of knowledge. The shift to remote working due to COVID-19 has left many companies vulnerable to cyberattacks due to lack of IoT security at home. Fortunately, these risks can be alleviated with training and planning.

Train Employees on Security Best Practices

Effective cybersecurity starts with a knowledgeable workforce. Employee cybersecurity training should include:

  • Password Best Practices – Passwords should be long, contain multiple character types (beyond letters), be changed regularly and not reused for other accounts.
  • Social Engineering Attack Recognition – Teach employees to spot fake emails and websites, which are common attacks hackers use to prey on human error.
  • Cyberattack Risks – Educate employees about the cost of a data breach to the company.
  • Incident Report Procedure – Define how and to whom employees should report an attack.
  • Personal Device Policy – If employees are employees permitted to access company resources on personal devices, establish actions to protect company data.
  • Company Device Policy – Communicate the proper use of company devices, including the importance of security updates, if third party downloads are allowed, how devices should be secured and whether such devices can be carried home.

Cybersecurity training should begin with onboarding and be updated regularly for current employees. Mock attacks can also be practiced to train employees on practiced actions should a real attack occur. Companies should regularly share cybersecurity news, which helps employees recognize the commonality of attacks and keeps the importance of cybersecurity fresh in their minds.

Have a Response Plan

Employees shouldn’t only know how to safeguard against an attack. Companies should build a cyberattack response strategy so if a breach occurs it can be shut down quickly and the damage minimized. This strategy should include the following instructions:

  • Threat and source identification
  • Isolating the affected error from the rest of the system
  • Stopping and eradicating the attack
  • Assessing and managing damages along with system recovery
  • Employee actions during and after a security breach
  • Steps for retrospectively analyzing the attack to understand causes and create prevention tactics
  • Regular updates of company cybersecurity best practices

The response plan should be regularly evaluated for weaknesses and revised.

Train Users on Their Cybersecurity Responsibility

For device manufacturers, training on cybersecurity best practices doesn’t end with employees. Users of devices should be informed of their role in keeping devices and personal information secure.

  • Dangers of social engineering and how to spot attacks
  • Risks associated with public Wi-Fi and how to alleviate
  • Location of privacy settings and guidance on use
  • Password management best practices
  • Importance of automatic updates and lock screens

Ultimately, the first defense against cyberattacks is the person behind the device.