IoT 5 mins read

Building Defense in Depth

A strong cybersecurity strategy includes multiple layers across the physical and digital worlds

Jane Porter Jane Porter

In the first blog of this series, we talked about the fact that a layered approach to security is required to minimize the attack vector. With all the different ways hackers can access sensitive systems, multiple types of solutions need to be included at the user and administrative levels.

There are many different approaches and standards to layered security and nearly all of these are aimed at the IT profession and/or organization. Our next few blog entries will look at the layers from a user’s perspective.

  1. We shall start with looking at the physical security: what do we need to do to secure the hardware as the first line of defense?
  2. Secondly, we shall look at authentication and authorization: what can we do to help keep access to our software as secure as possible?
  3. Then we will discuss the applications themselves and how we can ensure they are well behaved and add to the overall security posture of the environment they run in. Our next installment will look at applications being run on the Edge and the following one will look at applications run in the Cloud.
  4. Then we will pivot our focus to IoT specific concerns, looking at devices and best practices on connectivity and management.
  5. We will wrap up this series by bringing everything together to show how the constant flow of data, connections, and changing environment require our constant vigilance.
Choosing an IoT device management platform? See what MachNation says

Let’s start with physical security. This is the most ignored and least talked about aspect of cybersecurity; however, if the device is compromised, all the other layers of security become meaningless.

Devices come in many forms. At a corporate level, any on-prem servers need to be kept in locked rooms with limited and appropriate access. At the individual level, we are responsible for our smartphones, tablets, laptops, and computers, all of which can provide a gateway to corporate assets and data, and many of which are carried with us nearly all the time. What can we do to help ensure these devices are not compromised? Part of the answer must include the passwords we store in common web browsers or applications, and that are synchronized across devices so we can sign in quickly. If somebody gets hold of just one of our devices, they will have access to all our accounts. So here are some simple steps we can all take to protect our devices.

Separate your work and personal devices.

Sounds obvious, but with dual SIM phones and BYOD at work, it is easy to blur the lines between work and personal lives. However, if somebody suggested you take your work computer to a music festival or a nightclub, you would think they had lost their marbles. But that is precisely what you are doing if you use the same phone for work and personal purposes. The safest route is to leave your work phone at home when you are on personal time; if that is not possible, use a separate phone.

This does of course come at the cost of flexibility – you must carry 2 phones when you are working.

Consider a phone lanyard case.

Most of us now have Apple or Google wallet, so all you need for a night out with your friends is the phone and your house keys. It is easy, when you are out and enjoying yourself, to take out your phone, set it down, and forget about it for a few minutes. A phone lanyard case is a very simple way of ensuring you do not lose your phone.

Use a privacy guard in public settings.

When you are using a work laptop in a public place, consider using a privacy guard. They make your laptop look cool as they display a gold screen to anybody not directly in front of the screen. The security benefit is precisely that nobody can see what you are working on from a distance or an angle.

Phase out old devices safely and securely.

Think about how you dispose of your old devices. Most work devices are returned to the IT department where they are reconfigured and either disposed of or re-purposed. Your home device might just languish in a drawer gathering dust until you throw it out. In all cases, you should always sanitize the device so that no data remains on it or can be recovered.

To summarize, taking some simple but effective steps for physical device security is the first line of defense for both your personal and work data.

If after taking these precautions, you lost your device, make sure you know how to wipe it. The major manufacturers have a “lost mode” which allows you to log on to your account and block or, in extremis, wipe the data from your device. You should then re-set all your passwords. We will talk more about that in our next blog. If you have your corporate device stolen, contact your Security Department as soon as possible; they will tell you precisely what you need to do.

Stay safe.

Related articles

  • IoT

    IoT: biting the dust or coming of age?

    At some point in life, we need to "get real" with our experimental projects and assess their true value. For businesses, this is typically the decision point at which a strategic investment is turned into a profitable business. With IBM…
    Bernd Gross Bernd Gross
  • IoT

    IoT in Cybersecurity: Where is the silver bullet?

    For everybody using Cloud-based services, security is a key concern. Each week we learn of another organization that has been successfully hacked, with sensitive corporate or personal data shared with malicious 3rd-parties or leaked to the Dark Web. According to…
    Jane Porter Jane Porter
  • IoT

    The future securely belongs to IoT

    Many people would prefer not to talk about the topic of IoT security. Unfortunately, since attacks on IoT infrastructures are not uncommon, ignoring the subject would be a very bad idea. A variety of studies show that up to 70…
    Dr. Juergen Kraemer Dr. Juergen Kraemer