Cybersecurity IoT guide
Digitising property has opened the industry to security risks, but the solutions don't have to be complicated

How to stay safe in a digital revolution

 | 

Karl Tomusk

Smarter buildings powered by cutting edge software and IoT devices push property into new, innovative places – but a digital revolution comes with risks.

A Digital Defence report from Microsoft last year found a 35% increase in attacks on IoT devices in the first half of 2020, compared to the second half of 2019. But as attackers find new targets – while also continuing to use common attacks like phishing – the government’s latest Cyber Security Breaches Survey shows that just 35% of businesses are using security monitoring tools and fewer than a third undertake any form of user monitoring.

For an industry in transition, that poses a serious challenge. “A lot of our locations are getting cybersecurity essential for their building networks, not just their business,” says Dan Drogman, CEO of smart building software provider Smart Spaces. “Cybersecurity only applying to corporate IT – that’s the past. From now on, it’s anything that can be connected to the Internet.”

Here’s what landlords need to know to keep their increasingly digital buildings safe:

Not everything belongs online

Buildings are lined with networks built up over the years, which can create vulnerabilities. Drogman says: “We can go into a building and find that they’ve got 20 ADSL connections from various parties that are using them to monitor their systems remotely.” Those connections are managed by separate service providers and, therefore, harder to monitor.

Drogman tells clients to rationalise their networks: they only need one fibre connection in a building, and part of that network should be offline because not every system needs the Internet. Keeping some functions offline cuts the risk of accessing malicious software.

Node is another company that tackles that problem, providing buildings with a single landlord-controlled network.

Monitor devices for suspicious connections

Services like Wireshark can monitor network communications, including on IoT devices. They can show you if the device is doing anything unusual, such as regular connecting to a web server in the middle of the night.

Similarly, Smart Spaces gives users a view of all the connectivity coming into a building, what devices are online, what firmware is running on each hardware device and whether it’s up to date. Manufacturers regularly update and patch devices to fix flaws, which is why it’s necessary to keep those up to date. Vulnerabilities in older systems are a magnet for hackers.

IoT risks depend on the type of device

The risks associated with IoT devices depends on what they do. If they control a building’s temperature, the risk might be relatively low – a hacker might find out how warm it is, but not much else. Power management devices, however, could knock the power out of a building if they’re compromised. The higher the risk, the closer they should be monitored – or kept offline.

The simplest attacks are also the most common…

Cyber Attacks

Most common cyber attacks reported in the Cyber Security Breaches Survey 2021

Phishing is by far the most common cybersecurity risk a business can face. More than a quarter of businesses face weekly attacks, of which 83% are phishing attacks, according to the Cyber Security Breaches Survey.

In a phishing attack, hackers trick people into revealing private information – logins, passwords, credit card details – by posing as someone they trust. That could lead to immediate problems, such as someone using your Amazon account, or to longer-term targeted attacks. For example, someone with access to an employee’s inbox might not use that access right away, but might eventually change invoice details, siphoning off money into another account.

… But more sophisticated, automated attacks are growing

Ransomware – a virus that blocks a user’s access to files until they pay the attacker– is an example of a growing automated threat that can do serious damage to a business. There are many ways it does that, but broadly, the software will scan the internet for vulnerable or open remote desktop connections and use brute force to gets it way in, trying password after password.

“In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes,” Microsoft’s Digital Defence report says. Growing ever more sophisticated, ransomware attacks were the most common reason behind Microsoft’s incident engagements between October 2019 and July 2020.

Easy wins make a difference

Negligence is a common mistake that leads to breaches, says Drogman. Having a weak password – and reusing it in multiple places – is something you can easily fix, and doing so can help prevent simple and sophisticated attacks.

If a ransomware operator is attacking your network, systematically trying possible combinations, the first line of defence is ditching your short, simple password. The second is locking IP addresses, thereby restricting who can communicate with the network and blocking unwanted connections.

“You’ve just got to be far better with your passwords, you need to lock IP addresses so this bot can’t actually get to the opportunity to even try a password, let alone get in,” Drogman says.

Once you have a stronger password, you also need to enable multi-factor log-ins, preferably using an authenticator app such as Google Authenticator. That adds an extra layer of security by generating unique one-time passwords.

Don’t forget about remote working

Remote working will outlast lockdowns, but that can lead to other security headaches. A study from IBM last year found that 53% of remote workers use their personal devices, and 61% haven’t been issued guidance on securing those devices.

If an employee’s device is insecure, that leaves gaps for hackers and risks sensitive information being accessed by non-employees, putting the wider business at risk.

“You can easily mitigate these risks by providing employees with laptops or, if that’s not possible, enterprise-grade cloud storage solutions, which add layers of protection to work files,” says Barry O’Donnell, chief operating officer at IT services provider TSG. He recommends installing a VPN, which will encrypt employees’ connections to the company’s network.

After all, as property innovation continues, the safer the digital networks are, the safer the physical spaces will be.

Your comments

Read our comments policy here