In 2008, Bernie Madoff admitted to masterminding an $80 billion Ponzi scheme — a scheme that should have made many investors skeptical. Many victims, including several retirees, overlooked the warning signs and were financially ruined. Most of the money was never recovered.
While not a Ponzi scheme, internet of things (IoT) devices deserve a healthy dose of skepticism when it comes to information security and data privacy. Installing a small piece of technology within your organization may not seem like a risk management decision, but a poorly configured IoT device can open the door to criminals.
As connected (“smart”) devices work their way into business processes and industrial systems, the explosive growth of IoT brings with it an unparalleled surge in business attack vectors. The impact will be a challenge for corporate security teams – especially in terms of privacy law compliance and vulnerability management.
Understanding IoT risk
Technology has always driven change in the way businesses operate, but the word “disruptive” has often been overused to describe its impact. However, with roughly 7 billion IoT devices already in use (not including phones or tablets), and projections of 21 billion devices in use by 2025, IoT Analytics predicts that the IoT age may indeed turn out to be truly disruptive.
We don’t need to wait until 2025 to imagine the risks arising from integrating IoT devices into business operations. Just recently, a Ponemon Institute study on IoT risk, found that data breaches caused by unsecured IoT devices increased from 15% to 26% since 2017. Further complicating IoT device security is the fact that most organizations have no centralized function that manages them, nor a clear strategy on how to secure and maintain them. Most security teams are not appropriately staffed to handle IoT device proliferation and may even be blind to their presence.
Competitive advantage and operational efficiency will increasingly demand the adoption of business IoT. Inevitably, various IoT products and technologies will come together in larger, industrial IoT processes. What happens when a single connected component within these processes is discovered to be transmitting data to unknown third parties? Think multi-function printers (MFP) or digital security cameras. The implications are limitless.
The challenge for security teams
Security organizations already have a difficult time ensuring their production systems are patched; adding the burden of patching connected devices could be a bridge too far. Smart “things” in a business setting will mean a dramatic increase in the number of devices that need to be monitored and patched – assuming patches are available.
Beyond the vulnerability management issues, the legal implications of privacy violations will present another significant challenge. The IoT may indeed prompt a new wave of cyber security legislation around the world.
One sign of this legislative response is a new California law known as SB 327, Information Privacy: Connected Devices, which specifically requires IoT devices to be designed with security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.” SB 327 is joined by another (more popular) new piece of California legislation: AB 375, [the] California Consumer Privacy Act (CCPA), which allows consumers to demand the data a company has collected from them, as well as the names of any other parties that data may have been sold to.
In the IoT age, businesses may be gathering consumer and/or employee data via connected devices without even realizing it. What happens when employees discover such data collection before their employers are aware of it? Navigating the challenges of emerging privacy laws and vulnerability management could end up being a Herculean endeavor for security teams.
4 steps for reducing IoT risk
Moving forward, organizations will need to carefully consider how workplace IoT may intersect with privacy and data protection laws. Start by taking these four steps to reduce risk:
- Include IoT-specific language in data privacy agreements
- Isolate IoT devices into separate logical segments of the network
- Monitor data flows and watch for unexpected or anomalous traffic patterns
- Ensure that IoT buying decisions are driven by security considerations, such as the ability to change default passwords, receive and apply patches, and disable unneeded services on any IoT device.
It’s possible that in the coming days, the required level of strategic collaboration between security and legal teams will surpass even the intense involvement required to address GDPR compliance. Until that time, and given the rate of IoT market expansion, perhaps business leadership might begin with the simplest question: are we being skeptical enough with our current IoT strategy to adequately protect our company?