Blue Planet Studio - stock.adobe

Guest Post

Solving IoT authentication challenges

If organizations want to take advantage of IoT, they must first protect major authentication vulnerabilities with layers of defenses.

Organizations recognize the vast potential of IoT and how it transforms industries spanning healthcare, manufacturing, retail and transportation. However, as the complexity and the number of connected devices increase, the volume of attacks soars in turn.

Hackers focus on the weakest link, which tends to be authentication. Unless organizations adopt stronger and more secure authentication methods, they will continue to remain in cybercriminals' crosshairs.

The FBI recently stated that the food and agriculture sectors are at an increased risk of cyber attacks. As these and other industries become increasingly digitized and connected, it advances the likelihood of an attack. The increased risk puts password policies firmly in the spotlight. Every entity must take action to shore up its defenses rather than face the effect on its brand and its bottom line that an attack can have.

At the root of the problem is the weak strategy enterprises deploy to manage password authentication. Too often, they rely on the outdated approach of resetting passwords after a set period of time. However, this fails to consider if the password is strong, unique or has previously been exposed.

5 steps to better password security

Rather than hoping the password problem will disappear, organizations must shift their focus from expiration to exposure. The new focus requires continually monitoring credentials to ensure that previously exposed passwords are not in use, thereby removing cybercriminals' opportunity to breach their systems. Organizations must also take a layered approach to password authentication and integrate the following steps:

  1. Focus on exposure, not expiration. End the cycle of password resets. Don't waste time and resources resetting passwords when the crux of the problem is exposure.
  2. Screen daily for exposed credentials. It's not enough to screen passwords at creation to make sure that they've not previously been exposed. Instead, daily screening ensures that passwords remain strong, unique and safe.
  3. Train employees on security hygiene. Organizations must provide regular training to help every user understand the risks that come from poor password hygiene and password reuse. As hackers use increasingly sophisticated tactics, organizations need to keep everyone up to date on how they can help mitigate the risk.
  4. Deploy threat intelligence tools. These tools can automatically detect and prevent the use of exposed passwords. The automation reduces the pressure on IT teams, while improving security. By checking for exposed passwords before they are activated and monitoring them on an ongoing basis, the risk of exposed passwords being used is removed. This is the recommended approach from NIST and is part of the HITRUST framework that reduces the likelihood of a successful password attack happening.
  5. Enforce multifactor authentication (MFA). Too often, MFA is viewed as an unnecessary frustration for users. However, it should no longer be optional. Instead, it should be mandatory and deployed every time as it provides connected systems with an additional layer of protection.

If organizations want to reap all of IoT's benefits, they must first tackle authentication vulnerabilities. By adding layers, it reduces the likelihood of a successful attack. Unless enterprises rethink their approach to password authentication, they must face the reality that it is only a matter of time before they become the next victim of a cyberbreach.

About the author
Michael Greene has deep software and cybersecurity experience acquired from a range of different roles with a variety of global high-growth companies. He is currently CEO of Enzoic. Prior to Enzoic, he was the CEO of ID Watchdog, an identity theft protection company that was sold to Equifax in 2017. Before ID Watchdog, Greene held senior management positions at Symantec, Webroot, Thomson Micromedex, Raindance and Baxter.

Dig Deeper on Internet of things security