Strengthening the weak link in IoT security: people
Security guru Bruce Schneier once said, “only amateurs attack systems, professionals target people”.1 All the firewalls and encryption in the world mean nothing if an attacker can get an employee to let slip their user credentials.
Depending on who you ask, insiders are the cause of about half of data loss events.2 That’s a sobering statistic. But what are you going to do about it? Naturally, you’d be right to look at the risks posed by your own teams. But you should also be asking tough questions of the providers you work with.
At Vodafone, we’re well aware that humans are potentially the weakest link in the security chain — and we act in all kinds of ways to protect our IoT operations and the customer data we carry.
It starts at recruitment. In our IoT division, as in all other parts of Vodafone, we conduct background checks on any new employee. Then, from day one, every member of staff gets regular training and education in security best practice, covering everything from how to look after their passwords, to how to spot a phishing email.
But we know that even the best-intentioned people aren’t perfect. We’ve put processes and restrictions in place to minimise the risk of a small mistake turning into a big problem. For instance, employee laptops are fully encrypted and protected by anti-virus and anti-malware. And our systems require two-factor authentication at login.
Perhaps most importantly, we limit what any individual can access on a strict “need to know” basis. Any access to sensitive data or systems — such as our IoT platform, network management tools, or customer records — is monitored and logged. And of course, physical access to our IoT systems is restricted behind the key-card locks, cameras and guards in our ISO-certified data centres.
You should never trust any security measure until you’ve tested it. That’s why we conduct regular in-depth audits of all aspects of our security processes, both internally and using independent third-party assessors.
No provider can claim to be perfect. Our aim is to make the hacker’s job as difficult as possible by strengthening our people and processes, as well as our systems.