Is the Internet of Things Bad for Your Business?

What is the IoT?

The IoT refers to the network of interconnected devices, sensors and objects that collect data and exchange it over the internet. They often don’t require any human intervention to function and “talk” with one another. These devices include everyday items, such as smartwatches, security equipment, cars, electronic appliances, lights in commercial environments, video surveillance systems, speaker systems and vending machines.

Specialized equipment in industries, such as healthcare, agriculture and manufacturing, are also integral to the IoT system. Oil companies, for example, often use spill-detecting sensors and monitors. Physical therapists use mobility tracking devices to monitor their patients’ movements and manufacturers put robots on their assembly lines to automate production processes.

Pros and cons of IoT devices for business

This era of connected devices creates significant business opportunities and changes the way people work as the IoT network grows in size and capabilities. However, the IoT also presents a major threat to businesses in the form of cyberattacks. Below are some key benefits and disadvantages to consider before integrating IoT devices into your business. [Related article: Small Business Guide to Cybersecurity]

Pros of IoT devices for business

• Increased efficiency: IoT devices automate repetitive tasks, reducing manual labor and freeing up employees to focus on more strategic initiatives. For example, smart sensors in manufacturing plants can optimize production processes by monitoring equipment performance and detecting potential issues in real time, minimizing downtime and maximizing output.
• Enhanced productivity: IoT devices provide instant access to valuable data and insights. IoT-enabled analytics tools offer real-time performance metrics, empowering managers to make informed decisions that optimize workflow efficiency, resource allocation and productivity.
• Improved communication: IoT-enabled communication tools facilitate seamless collaboration and information sharing among team members, regardless of their physical location. Video conferencing systems, messaging platforms and project management programs help teams stay connected. IoT devices also enable interoperability, so devices and systems across a company can send and receive data from each other easily.
• Asset tracking: Businesses can leverage IoT devices to track the location and status of assets in real time, improving inventory management and reducing the risk of loss or theft. GPS-enabled trackers and radio-frequency identification (RFID) tags enable companies to monitor the movement of goods throughout the supply chain, enhancing visibility and efficiency.
• Cost-savings opportunities: IoT devices help businesses optimize resource usage and reduce operational costs. For example, smart energy management systems adjust lighting, heating and cooling based on occupancy levels and environmental conditions, which can lead to significant energy savings over time.

Cons of IoT devices for business

• Issues with complexity and interoperability: Integrating IoT devices from different manufacturers can lead to compatibility issues and interoperability challenges. Each device may operate on different protocols, communication standards or software platforms, creating a bit of a hurdle for implementation and maintenance.
• Privacy and security concerns: IoT devices collect vast amounts of sensitive data. Cybersecurity threats, such as hacking and unauthorized access, pose significant risks to business operations and customer trust. Malicious actors may exploit vulnerabilities in IoT devices to gain access to sensitive information or launch targeted attacks that compromise data integrity and confidentiality. Learn more about this below.
• Regulatory compliance challenges: Businesses operating in regulated industries must navigate complex compliance requirements related to data protection, privacy and industry standards. The global nature of IoT deployments introduces additional regulatory complexities as businesses must comply with varying data protection laws and regulations across different jurisdictions.
• Reliability and maintenance: IoT devices are susceptible to technical glitches, software bugs and connectivity issues, affecting their reliability and performance. Downtime caused by device malfunctions or system failures can disrupt business continuity and impact customer satisfaction.
• Human employment displacement: As automation and artificial intelligence-driven technologies improve to take on tasks humans previously always did, there’s a growing concern about the potential displacement of human workers. While automation can enhance efficiency and productivity, it also raises ethical and social considerations regarding the impact on employment opportunities and income inequality.

Why are IoT devices vulnerable to cyberattacks?

One reason some consider the IoT bad for business is because of their vulnerability to cyberattacks. IoT devices are of interest to cyberattackers for four main reasons:

1. Most of these devices use wireless connections, which are vulnerable by nature.
2. Also because of these wireless connections, a cyberattack in progress often goes unnoticed.
3. IoT security tends to be a blind spot for both consumers and companies. A report by Key Factor, a digital infrastructure company, found that 96 percent of organizations using IoT or connected products encounter difficulties securing these devices and systems. NordVPN also found that 25 percent of users took no action to protect their IoT devices from attack.
4. Some manufacturers take shortcuts on the security protocols they’re supposed to install in their products. This means the devices leave the factory with flaws that cyberattackers can exploit straightaway.

It should be noted most Wi-Fi connections are not secure either and Bluetooth, despite being a mature technology, has 16 different security vulnerabilities. RFID, used in logistics and retail, has many of its own issues too. Meanwhile, low-power wide-area networks almost exclusively used by businesses, transmit data from IoT devices like sensors back to the base using wireless, low-bitrate, long-range communications. However, they’re also vulnerable because they use a simpler encryption method to save power. 

What do cyberattackers gain by hacking IoT devices?

IoT devices connect to domestic and corporate computer systems. Heating systems, smart fridges, smart thermostats and other devices often connect to the same corporate networks as customer databases and point-of-sale systems.

But why would a cybercriminal attack a connected fridge? It’s not because they want to control your refrigerator. They want access to your corporate network and your fridge will often be less protected than, say, your Wi-Fi router. Once they have access to your corporate network via that smart fridge, they’ll try to take control of it.

When they’ve gained control, they can — for example — install ransomware to blackmail your company or run cryptocurrency-mining malware, which requires so much computing resource that it renders your network unusable. They may grant themselves user privileges to access sensitive client information, launch denial-of-service attacks against your website or interject themselves into email conversations between your company and clients.

In 2021, software security company McAfee discovered a security flaw in an IoT exercise bike manufactured by market leader Peloton. This flaw could have allowed a hacker to steal information from Peloton’s customer database, including users’ birthdays, genders, workout stats, weights and ages, all because of a faulty application programming interface. In another real-life example, in 2020 users of a popular range of smart chastity belts lost their ability to operate them due to a hacker and found themselves subject to a $235 demand to regain control.

The lesson? Cyberattackers can gain access to any connected device and exploit it in several ways.

What are the risks IoT cyberattacks pose to businesses?

Using IoT devices in your business introduces not only security risks but also financial ones.

Financial risks

The financial and reputational costs of a cyberattack are significant even for large corporations, but for small businesses, a cyberattack could mean closing up shop.

“Overall, there’s going to be tremendous benefits to the IoT — it’s exciting,” said Kevin Haley, the former director of security, technology and response at Symantec. “We’re going to see all these different applications but, as a security professional, I’m seeing that there’s a headlong rush into this stuff without anybody really thinking through the consequences or the security aspects of it.”

A hacker could even access a small business’s network by hacking into its security system. “Now, anybody who has an internet connection and some hacking skills can also view your most important stuff,” Haley said.

The costs of mitigating the damage from such a breach could be catastrophic for a small business.

Security risks

Roel Schouwenberg, senior security researcher at Kaspersky Lab, agreed with Haley’s assessment. 

“All these new smart devices come with their own specific, new vulnerabilities, which can give attackers new opportunities. They may require new technology and approaches to protect [them] properly,” said Schouwenberg. “But people in small businesses will generally have their hands full covering their existing technology. Adding new, complex devices to the equation is going to make things a lot more difficult.”

When it comes to the IoT, small and midsize businesses have to worry that hackers could access their networks through their connected devices.

“Any way into — or any device into — the corporate network is one that needs protection,” Schouwenberg said. “Attacks have become more targeted, even against smaller companies, so all these scenarios require attention.”

Why are small businesses more at risk of IoT cyberattacks?

While cyberattacks involving large corporations tend to be the ones that garner headlines, small businesses may be at even more risk when using IoT devices for the following reasons.

Few specialized information technology employees

Small businesses are particularly vulnerable to security risks because they don’t usually have their own dedicated security staff. If they’re lucky, the people they pay to do their computer work happen to understand it and look out for them, said Chester Wisniewski, director of Global Field chief technology officer at security company Sophos.

Most of them don’t provide that protection, though, leaving small businesses wide open to attacks.

Overreliance on IoT devices with poor security design

The more IoT devices your business uses, the more at risk you are — especially if security protections weren’t built into the system’s design.

“To a large degree, the best thing to do is not use all these connected devices or at least to understand what the risk factor might be,” Wisniewski said. “I’ve seen people who have plants that tweet when they need to be watered. We’re hooking everything to the internet. The safest approach is to do what I do and just don’t plug this stuff in.”

Part of the security risk stems from these devices’ industrial control systems, which are often designed by people who do one thing very well. For instance, a system might be designed by a person who knows a lot about refrigerators or thermostats who programmed the software, so the appliance or device does all kinds of cool things, Wisniewski said.

“The question is, did they have a security expert involved in these things to understand what they need to do to maintain security? What happens when it’s time to patch your refrigerator? How do you know you need to fix your refrigerator?”

Said Schouwenberg, “[IoT devices] should all be designed with security in mind. Given the slow life cycle on most of these devices, that’s going to be very important. What I hope to see is that for the makers of smart devices, security will become a competitive advantage.”

Closely connected networks

If you put your refrigerator or your smart thermostat on a Wi-Fi network that’s also used for your business software, you’re more vulnerable because computer code always has flaws that cybercriminals can exploit, Wisniewski said. For small businesses, these smart appliances or devices are usually on the same network that contains customer and credit card information.

“It’s a way for someone to have a foothold inside your network that you can’t track down because you never think that it’s that thing [like your refrigerator] that’s stealing data from your network,” Wisniewski said. “The more things connected to the area where you’re conducting business, the worse it is.”

Any piece of hardware that can interface with something electronically is at risk of exploitation, added Schouwenberg.

How to protect your business’s IoT devices

There are multiple ways to protect your IoT devices, your network and the data stored on your network.

1. Create subnetworks.

Schouwenberg said it’s nearly impossible for a small business to protect all of its assets, so he suggested listing your biggest assets and then putting the most effort into preventing the network security threats involved with those assets.

“Work your way down from there,” he said. “Segregate your network. IoT and BYOD (bring your own device) can go hand in hand, so you may also want to look at policies in that area. Many new smart devices, like fridges or TVs, have functioned perfectly fine as dumb devices. Unless you have a very valid business case, it’s best to not hook them up.”

2. Only collect as much data as you need to trade.

Small businesses should also limit the sensitive information they collect, said Jay Radcliffe, director of product security testing at Thermo Fisher Scientific.

“If you’re not doing anything with names and addresses and your system by default is collecting that information, then don’t collect it,” he said. “The tendency for vendors and people supplying the IoT is to have all that stuff turned on. It’s like going to a restaurant and ordering every dish they have when really all you need is one thing.”

3. Avoid Wi-Fi where you can.

Wisniewski said that one way for small businesses to protect themselves is to not use Wi-Fi.

“Know what’s plugged into your network,” he said. “Don’t allow your employees to bring their laptops in and plug them into your network that you’re processing credit cards on.”

If you want a Wi-Fi network for employees to use during their breaks, run a separate network with just the Wi-Fi, Wisniewski said. “Give them a free Wi-Fi [network], but make sure that free Wi-Fi isn’t hooked into the same place where you’re doing all the critical stuff.”

If a physical connection to an IoT device is not possible and you need to rely on Wi-Fi, consider switching to a new network that uses the WPA3 protocol and not the now-compromised WPA2. All Wi-Fi devices manufactured since July 1, 2020, must have WPA3 certification, but check with your vendor before purchasing.

Cybersecurity while traveling is another concern. Use 3G, 4G or 5G when possible, because a favorite trick for cybercriminals to use in open places and hotel lobbies is creating alternative, authentic-looking Wi-Fi networks that fool unsuspecting users.

4. Choose the right manufacturer and download patches.

Check every product you want to connect to your network before you purchase it because even a printer can pose a security risk.

Haley said part of the onus for security should be on the manufacturers of these connected devices.

“I think manufacturers are going to have to figure this out but, unfortunately, it’s going to have to take a big incident [for things to change]. But for now, small businesses have to do a couple of things,” he said. “You have to ask what you have connected to the internet and what the risk of that is. … [I]f you have those security cameras, research and see if there are vulnerabilities — and if there are, patch them. If you have a commercial router, you have to make sure there are good passwords on there. If there’s a vulnerability, you have to make sure you’ve updated to the latest patches.”

5. Take cybersecurity seriously from the top down.

Human error is the No. 1 cause of successful cybersecurity attacks within any business. From creating strong passwords to downloading patches on the day of release, every business needs to take cybersecurity seriously. Teach your staff about the types of attacks, how to spot them and what to do if they think they’ve been targeted.

Clear leadership from the top, as well as staff education and monitoring, is vital to cybersecurity at any company.

Is the IoT all that bad?

It isn’t necessarily a bad idea to embrace IoT technology as a small business owner. These devices can transform your business significantly and its operations for the better. However, it’s crucial to remain vigilant about the potential risks and challenges associated with installing and using IoT devices. This means prioritizing cybersecurity and data privacy protocols to safeguard your company and maximize the benefits of IoT technology.

Shayna Waltower and Linda Rosencrance contributed to this article. Source interviews were conducted for a previous version of this article.