Cyber Security Questions To Ask All Your IoT Vendors
Key Takeaways:
Any IoT vendor should be able to answer these basic questions if they take security seriously.
Getting answers before making purchasing decisions prevents cybersecurity headaches for owners and tenants.
Packing smart buildings full of useful sensors to optimize performance and enhance the tenant experience is not without risk. Connected devices can expose vulnerable networks if proper security protocols and IT best practices aren’t strictly adhered to, that’s exactly how some of the most high-profile hacks happened. Making sure technology vendors take security seriously means being able to ask the right question. We compiled 10 questions you should be asking every IoT vendor before moving forward with a deal.
1. Is the hardware securely provisioned and does it use a secure chain of trust?
A secure chain of trust is essential to validating network access, preventing unauthorized connections or devices from exposing vulnerabilities. Authentication is one of the most important parts of cyber security.
2. How are security patches applied and what is the company’s patch policy?
Cyber security is not a one-time solution, threats evolve, so security must as well. Any system is only as good as its latest patch, be sure to ask how they plan to apply patches so you know how adaptive the technology is to new threats.
3. What data is collected? Is any data sensitive?
Knowing what data is being collected and if it’s sensitive helps to make cyber security decisions by informing building owners and management about what they need to protect. Sensitive data needs more security.
4. Who owns and has access to the collected data?
Who has ownership and access to the data delineates who is responsible for protecting it. Don’t get blindsided by someone hacking data you didn’t know you were supposed to be protecting. Be sure to have proper credentials and authentication for anyone with access.
5. How is the data protected in transit? Is it sent over encrypted connections?
Data in transit is particularly vulnerable to hackers looking to intercept and reroute for their own purposes. Sensitive data should always be encrypted and sent across secure networks.
6. If the data is sent to the cloud, is it encrypted at rest?
The cloud presents a different set of risks. Protecting data at rest through encryption is a critical extra layer of security that prevents hackers from accessing or leveraging the data should they be able to acquire it.
7. Are device updates and errors auditable and protected from change and deletion?
Some hackers can roll back crucial security updates to maintain whatever vulnerability they’re exploiting. Protecting device updates from change and deletion makes sure the latest security updates work as intended.
8. Does the device support remote connections? Is this configurable?
Hackers are rarely physically in the building, they gain access to networks through remote connections. Knowing if a device has a remote connection helps owners account for the entire threat landscape, being able to monitor and configure those connections ensures only authentic connections.
9. What is the device's end-of-life process? is it defined?
Technology and the businesses behind them are not immortal. If a device were to become non-functional or the device manufacturer goes out of business, it can leave behind dormant vulnerabilities to be exploited. A proper end-of-life process conclusively ends the threat from outdated devices.
10. Does the vendor follow a controls framework such as ISO27001 or SOC2 or can they provide a recent security assessment with remediation details?
Cyber security best practices are well documented with many types of certifications. If a vendor doesn’t know or follow protocols such as ISO27001 or SOC2, that’s a red flag indicating they may not be taking cyber security as seriously as needed.
