Is the Internet of Things a scary proposition for organizations?
The Internet of Things (IoT) is poised to be the ultimate technology disrupter. Companies are racing to build out Internet of Things businesses, but security is not at the top of the list. When security is considered low priority within any organization, the hairs on the back of my neck stand up. And security is not just something that rests on the CIO’s shoulders, it is a companywide concern for the board of directors, the CEO, customers and all entities doing business within and even outside of the organization. How can we fortify cybersecurity to counter and mitigate threats?
The big bet
Every corporation is betting big on the Internet of Things, and for good reason. According to researchers, by the year 2020 more than 50 billion connected devices will exist. Some are more optimistic, estimating that the number of connected devices is likely to soar from 15 billion in 2015 to 200 billion by 2020, which is the equivalent of 26 smart objects for every person in the world.
My concerns about Internet of Things security, however, stem from criminals, hackers, foreign governments and so on. Cyber criminals are getting savvier than ever. They welcome the Internet of Things and the associated vulnerabilities that inherently come with it. As they grow their criminal empire, their funding increases and they get smarter and sometimes even more innovative than the very tech companies they attack.
Cyber risk has grown to a point where it is spanning organized crime groups and syndicates—even politically sponsored hackers. Within corporations, many IT resources are stretched thinly between increased outsourcing taking place and the added burden for IT to also manage cyber risks. Ongoing struggles to keep up and properly manage these growing threat levels are quite likely.
When Internet of Things devices are directly connected to networks, the sheer number of attack vectors increase substantially. A direct corollary lies between low-cost Internet of Things sensors and low security implementation, thus increasing the vulnerabilities to exploit. This situation is of great concern for corporations because as risks increase the legal commitments to customers still remain.
Perhaps a data breach occurs as a result of poor security implementation on an Internet of Things device within a company. Whether the breached company even had a hand in designing or manufacturing the device doesn’t matter. They are still responsible and stand to lose data for millions of customers, face possible regulatory action and incur legal action, all because they failed to secure their networks.
Breaches are costly in fines, lost revenue and, especially, tarnished brands. Rebuilding a brand may take years. In 2015—almost a full year after the initial breach—I discussed this topic on Bloomberg TV regarding Target’s retail breach and what’s next for that organization. I continue to mention this breach today because everyone immediately understands it. Target is still digging itself out of the tarnished brand hole it got themselves into almost three years ago.
CIOs can take the steps necessary to start securing Internet of Things connectivity:
- Get the CEO and board onboard with cybersecurity early—it takes an entire organization.
- Verify security is implemented into Internet of Things sensors at the early stages. Ask manufacturers specific questions: What makes this device secure? Does it have encryption? What kind?
- Perform a comprehensive risk assessment and regular security audits to make sure Internet of Things devices are truly secure. Risk assessment can keep new devices and vulnerabilities from sneaking up. Security audits can verify that no new unsecured Internet of Things sensors have been added without permission or without the team’s knowledge that the CIO or chief security officer (CSO) has put them in place.
- Ensure all third parties, vendors, suppliers, partners and customers are onboard and adhering to the security policies and procedures you have in place. Do not allow wiggle room or a free ride for trusted or go-to partners from the past.
- Establish the crisis plan. No one expects to be breached, but all networks are vulnerable. A media and corporate emergency plan needs to be in place to make fast and reasoned calls. No wait-and-see time limit exists because every minute a company is silent about its breach it loses customers and credibility.
If Internet of Things developers start seriously planning security early on in product development, it will make a significant difference. When more thought is placed on security rather than just price or ease of use, our fears and ultimately our security flaws will be minimized.
Expert discussion on cybersecurity
Can we drive the innovation and possibilities of the Internet of Things while maintaining security?
For answers to these questions and more, take part in a live panel discussion with experts on 24 May 2016 at 11 a.m. ET, where we’ll discuss the impact of the Internet of Things on cybersecurity. Here are some of the key questions to be discussed:
- Why is security for Internet of Things devices often so weak?
- How are hackers exploiting connected devices?
- What can organizations do to better secure their connected devices? What should vendors be doing?
- Who is responsible for securing the smart home? Why?
- Can our connected homes, cars and devices attack us?
- What’s the role of government in ensuring connected devices are secure?
Andrew Borene is senior executive for worldwide strategy for the IBM i2 Safer portfolio. He is a Fellow at Georgetown University’s Center for Security Studies and a Senior Fellow at the University of Minnesota’s Technological Leadership Institute. He serves on the Advisory Committee for the American Bar Association’s Standing Committee on Law & National Security, and the National Defense Industrial Association’s Special Operations and Low-Intensity Conflict (SO/LIC) Board. He is presently Chairman of the Cyber Security Summit and is a Certified Cyber Intelligence Professional (CCIP). Previously, Borene has been an Associate Deputy General Counsel at the U.S. Department of Defense, a U.S. Marine intelligence officer, and a U.S. State Department-funded Fellow for the study of peace building operations in Northern Ireland. Prior to joining IBM, Mr. Borene’s private sector experience included robotics, big data, and investment banking.
Scott N. Schober is a cybersecurity expert and president and CEO at Berkeley Varitronics Systems, Inc., a 40-year-old provider of advanced wireless radio frequency (RF) test and security solutions. Schober has overseen the development of numerous cell phone detection tools used to enforce a no-cell-phone policy in corporate, correctional, law enforcement, military, secured government and university facilities. He regularly appears on Arise TV, Bloomberg TV and Canadian TV News and has numerous appearances as a cybersecurity expert on Al Jazeera America, CCTV America, CNBC, CNN, Fox Business Channel, Fox News, Inside Edition, MSNBC, One America News (OAN), PIX11, TheBlaze and more. Schober has also presented as a subject-matter expert (SME) discussing cybersecurity and corporate espionage at numerous conferences worldwide.
Dan Lohrmann is an internationally recognized cybersecurity leader, technologist, speaker, blogger and author. Lohrmann led the Michigan government’s cybersecurity and technology infrastructure teams from 2002–2014, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 Leader. He is a sought-after and trusted source for government cybersecurity counsel throughout the country. Lohrmann has extensive experience advising senior leaders at federal, state and local government agencies; Fortune 500 companies; National Association of State CIOs (NASCIO); National Governor’s Association (NGA); small businesses and nonprofit institutions; US Department of Homeland Security (DHS) and the White House.
Richard Stiennon is a veteran of the security industry and has years of experience as an industry analyst advising enterprises, vendors and government agencies on their security strategies. Stiennon is the author of Surviving Cyberwar (Government Institutes, 2010), UP and to the RIGHT: Strategy and Tactics of Analyst Influence (IT-Harvest Press, 2012) and There Will Be Cyberwar: How the Move to NCW Has Set the Stage for Cyberwar (IT-Harvest Press, 2015).
Here are a few resources to review in preparation for this discussion:
- Analytics Brief: Will the IoT and Driverless Cars Make Car Hacking the Norm?
- CISOs Need to Pay Attention to IoT Security Spending
- The Internet of Insecure Things
- Security of IoT-Enabled Devices Remains Low Priority for Developers
- Fortify Your Cybersecurity Strategy