Ulrike Bahr-Gedalia
Senior Director of Digital Economy, Technology, and Innovation at the Canadian Chamber of Commerce
Farshad Abasi
Chief Security Officer at Forward Security
As the Internet of Things (IoT) has become the Internet of Everything, IoT innovation is having a significant impact on the cybersecurity landscape for Canadian companies. As more and more devices are connected to the internet, the attack surface for cybercriminals expands, and the potential for security breaches increases.
Additionally, many IoT devices are not designed with security in mind, making them vulnerable to hacking and other cyber threats. This means that Canadian companies that adopt IoT technology must also invest in cybersecurity measures to protect their networks and data from cyber-attacks.
In an interview with Ulrike Bahr-Gedalia, Senior Director of Digital Economy, Technology, and Innovation at the Canadian Chamber of Commerce and Cyber. Right. Now. (CRN) Lead, Farshad Abasi, Chief Security Officer at Forward Security and a member of CRN, discusses how to securely navigate IoT innovation in an increasingly interconnected world.
Ulrike Bahr-Gedalia: What specific risks do Canadian companies face when implementing IoT technology?
Farshad Abasi: When it comes to implementing IoT technology, Canadian companies, in particular SMEs, may face a number of risks.
- IoT devices can often be targeted by cybercriminals due to weak security design and configuration, potentially resulting in data breaches and loss of sensitive information.
- Privacy risks are another concern, as the collection and storage of personal data by IoT devices can raise privacy and data protection concerns.
- Companies may be held liable for any damages caused by faulty IoT devices or data breaches, creating liability risks.
- There are also operational risks to consider, as IoT devices and systems can be vulnerable to technical malfunctions and disruptions, which can negatively impact business operations.
- The rise of IoT devices can also lead to vendor lock-in, potentially limiting flexibility and increasing costs as companies become dependent on specific vendors for IoT devices and services.
Bahr-Gedalia: What steps have the Government of Canada and industry leaders undertaken to address the cybersecurity challenges posed by IoT innovation?
Abasi: The Government of Canada and industry leaders have taken several steps to address the cybersecurity challenges posed by IoT innovation. These encompass what CRN has been working on as an industry group to place Canada among the most secure countries.
- The Canadian Centre for Cyber Security (CCCS), with whom CRN continues to engage through a collaborative, open dialogue, has developed guidelines and best practices for securing IoT devices and networks, including the “Internet of Things (IoT) Security” guidance.
- The National Cyber Security Strategy of Canada, published in 2018, includes several initiatives aimed at improving IoT security, including the development of a national incident response plan and the creation of a national cybersecurity certification program for IoT devices. In August 2022, CRN handed in a submission with respect to the renewal of this strategy and has been in ongoing conversations with government to strengthen industry engagement.
- Public Safety Canada, with whom CRN is in regular dialogue, established a Cyber Security Cooperation Program to foster collaboration between industry, academia, and government to address cybersecurity challenges, including those related to IoT as well as a dedicated working group which is a part of Innovation, Science and Economic Development Canada (ISED) to work on IoT policy, regulation, and help with the development of the IoT ecosystem.
Bahr-Gedalia: What types of cybersecurity threats do Canadian businesses face as a result of employees introducing IoT devices into their homes, especially when most people are working remotely?
Abasi: Innovations in this space have resulted in the prevalence of IoT devices that assist with a variety of tasks in our daily lives. These includes thermostats, lighting control devices, security surveillance systems, and more. Employers should consider the following:
- Many employees work remotely from home, co-working spaces, or environments where these devices are present and often in the same network the employee’s work device is connected to.
- Many IoT manufactures do not build the devices with security in mind and often lack basic security measures or regular updates.
- An attacker can take over a device and target the remote employee’s machine that resides on the same network if that computer is not securely configured and adequately protected. They can subsequently take control of that computer and pivot to corporate applications and systems that employee has access to.
- Often, employees are connected and remain logged into many of the applications they use, as well as the corporate internet. In these cases, adding multi-factor authentication is not going to help, since the user has already logged in and passed the required checks.
Bahr-Gedalia: What are some key steps businesses should take to secure their IoT devices and networks?
Abasi: There are many things Canadian companies can do to better protect their IoT devices and networks against potential security threats. The most important of these are as follows:
- Companies should segregate networks where IoT devices reside from other networks, to limit the potential impact of a security breach.
- Secure configuration and regular updates should be applied to employees’ computers, and communication to local devices should be blocked when connected to a company VPN.
- Conducting regular training and awareness programs to educate employees on the importance of IoT security and how to identify and report potential security threats is crucial.
- It’s important for companies to consult with experts in IoT security to get an assessment of their risk profile and put appropriate controls in place.
- Setting up a system for monitoring and logging IoT device and network activity allows for quick detection and response to security incidents. Establishing incident response and disaster recovery plans can minimize the impact of security breaches.
- Lastly, companies must recognize that IoT security is an ongoing process and should review and update their security measures on a regular basis.
To learn more about Cyber. Right. Now. visit the Canadian Chamber of Commerce at chamber.ca/campaign/cyber-right-now/.