While some may think that the Internet of Things (IoT) is at its prime, it actually has miles to go in terms of resilience against external attacks. So, what makes the Internet of Things different from the traditional Internet? The answer, for starters, is humans. IoT doesn’t rely on human interaction to operate, and this is something that a lot of cyber security companies just don’t get because IoT is really much more than just about interconnected devices.
With IoT, machines collect, communicate, and act on information, offering new approaches for technology, media and telecommunications operations to deliver added value— whether by creating entirely new businesses and revenue schemes or delivering a more convenient experience for customers.
But all of this also creates new opportunities for this great technology to be exploited. And this is exactly where companies moving to the forefront of this technology fail – they are unable to ensure that they are secure. Not only does IoT allow for more data to be shared among many more players, but much more sensitive data is being exposed. As a result, the risks are exponentially more significant.
Take, for example, a garage door opener with added functionality that deactivates the home alarm upon entry. It’s a really convenient feature, especially when you’re in a hurry. But once we began our external engagement, we were able to take over the entire security system and exploit the garage door opener in ways for which it was not created.
The wide range of connected home appliances—TVs, home thermostats, locks, alarms, home hubs, door openers, to name a few—creates a plethora of connection points for adversaries to breach IoT systems, access customer information, and even penetrate manufacturers’ systems.
We’re seeing lately that more and more companies in tech, media, and telecommunications are struggling with these cyber risk challenges and are noticing a few things, described in more detail below, in the fight to tackle cyber risks and take advantage of new opportunities.
Cyber Risk Management
The promise of IoT is that more information creates more opportunity to create added value. Nowadays, entire business models are built on the idea of collaboration among organizations – and data is often the adhesive, motivating companies to invest big in customer analytics capabilities to deliver more value for the customer. These collaborations are taking advantage of an exceptionally wide palate of data types—not just devices and system data, but everything from employee rosters and inventory records to non-traditional data such as facial recognition, access data, and industrial control system data, to name just a few. For many, this is undiscovered territory, and along the way, data governance has failed to keep pace.
Global Risk Standards
Another question we are often asked is “how do you create firm control over data governance in that situation?” Great question! We receive more and more inquiries from organizations seeking guidance on how to strengthen controls, but we often see that tightening them a tad too much can obliterate the life out of much needed innovation. Companies often chase an approach marked by oversight, and which could potentially leave them exposed to outside risks. We believe that risk and innovation are inherently linked—and by understanding what “normal” data activity looks like, possible anomalies can be quickly flagged for review.
New Tech — New Risks
IoT is a shared ecosystem and operating model that crosses both public and private sectors, and activity around it is on the rise. However, without any uniform standards governing it, the shared responsibility for security enforcement is doomed to fail as security breaches occur anywhere and anytime within the ecosystem —something we see every month. Although global cyber risk standards are almost certainly in development, most believe they’re far away, so business and technology leaders have no choice but to begin implementing their own, often relying on expert guidance from an external service providers like Comsec.
While different players have aligned in different agreements, those in technology industries are expected to lead the change. While much of the promise of IoT lies in the ability to gather data, today it’s generated in different formats, with machines connecting to different networks using different protocols. Without common standards to govern the functionality of IoT-enabled devices, the barriers to interoperability are vast.
Overhaul is Not Scary
Some technology companies are looking to implement IoT solutions either on top of existing systems or are working closely with their own customers and partners to develop new ones. Many of these existing systems, which were once standalone and unconnected, are now vulnerable targets for exploitation. So, does that mean that overhaul is imminent? Based on our experience, not necessarily, and given the cost of implementing new technologies, some of which may soon be obsolete, overhauling may not always be a strong contender. We have provided guidance to dozens of our customers on how to better plan and execute a technological transition to accommodate various circumstances and scenarios.
We work hand in hand with our clients to overhaul their existing infrastructure, when most them are facing new challenges. Take, for instance, the greater number of points of communication introduced, rendering the simple, shared system accounts and passwords associated with older security programs useless. In some cases, a purpose-built device or add-on designed specifically to enhance IoT security is preferable. Either way, being wary of the risks arising from overhauling, and accurately assessing them, are important steps to effectively managing these risks.
Conclusion
IoT security poses significant infrastructure challenges and many companies are looking for ways to improve it. No matter the solution, it is vital to choose an expert with decades of experience to help achieve the maturity levels everyone is dreaming of.
