Back to Blog

Addressing Authentication Issues Within IoT

Staying Safe, While Staying Connected

As more organizations enter the digital landscape of the Internet of Things (IoT), there are parallel increases in the number and frequencies of cyberattacks. IoT has a great capacity for beneficial technological impact across all industries, but unless organizations can embrace better cybersecurity, they are all under massive risk of attack.

Make no mistake: threat actors have taken note of the increasing number of connected devices and the complexity of the interacting systems—and they’ve been evolving right alongside it. Cybercriminals will often focus on the weakest link they spot in a system. In many cases, it’s authentication: the process of ensuring that a user is who they say they are.

Though password policies might be ubiquitous in some ways, contemporary issues with authentication bring them once again front and center. Current password policies are not doing the work we need them to. Exposed credentials—e.g. your email username and password—are responsible for a large percentage of breaches and ransomware attacks. The ways that credentials get cracked, hacked, bought, and sold are manifold. It’s no longer sufficient to require a long or arbitrarily complicated password. Every organization needs to modernize its practices in securing the password layer and monitor for compromised credentials.

Fortunately, there are some solutions and strategies your organization can embrace quickly with minimal user friction. Depending on the size and needs of your enterprise, there are applicable guidelines (for example, HIPAA and HITRUST for healthcare organizations).

For now, here are five tips for better IoT security.

  1. Continuously Screen for Compromised Credentials. There’s a reason this is at the top of the list. By screening for weak, previously stolen, and compromised credentials, you can ensure that no exposed passwords are in use within your network. This is one of the most effective ways to remove yourself from the ‘easy target’ category.
  2. Focus on Exposure, Not Expiration. In the past, periodic password resets were thought to be a strong preventative measure within organizations. Unfortunately, this is not the case. Periodic resets cause users to just make small variations on their favorite passwords (for example, going from ‘LoveMyKids’ to ‘Lovemykids123’, making their new password easy to guess). There are no guarantees that you won’t have your credentials stolen the day after you change them. And there are no systems in place to alert a user if their credentials have been compromised.
  3. Make Multifactor Authentication Mandatory. MFA has been an optional step for quite some time, but it’s time to lock security down. Making MFA mandatory can be an impactful step. Ensuring that there is an additional security layer, separate from the password layer, can help protect your organization’s systems and data.
  4. Prioritize Password Hygiene. Like washing your hands or brushing your teeth to keep your body healthy, password hygiene is central to having a clean, safe network. Education is one of the first steps: discussing the importance of strong passwords, emphasizing the possible repercussions, and encouraging users not to share passwords can help everyone understand this is a serious security issue.
  5. Deploy Threat Intelligence Tools. Based on guidelines from NIST and HiTRUST, automatically detecting and preventing the use of exposed passwords is an excellent way to reduce the pressure on IT teams, while also reducing the risk of compromised passwords being actively used.

Organizations should approach cybersecurity and authentication strategies upfront, not as a last-minute thought. Addressing vulnerabilities in each layer, specifically the password layer, means organizations have a lower risk of a breach.

Breaches can have enormously disruptive consequences—from ransomware attacks that can cause major financial disaster, all the way to long-term reputational issues that are difficult for companies and organizations to shake. To avoid becoming the next headline in cybersecurity news, your organization needs to batten down the digital hatches.