The Internet of Things (IoT) is poised to be the ultimate technology disrupter. Companies are racing to build out Internet of Things businesses, but security is not at the top of the list. When security is considered low priority within any organization, the hairs on the back of my neck stand up. And security is not just something that rests on the CIO’s shoulders, it is a companywide concern for the board of directors, the CEO, customers and all entities doing business within and even outside of the organization. How can we fortify cybersecurity to counter and mitigate threats?
The big bet
Every corporation is betting big on the Internet of Things, and for good reason. According to researchers, by the year 2020 more than 50 billion connected devices will exist. Some are more optimistic, estimating that the number of connected devices is likely to soar from 15 billion in 2015 to 200 billion by 2020, which is the equivalent of 26 smart objects for every person in the world.
My concerns about Internet of Things security, however, stem from criminals, hackers, foreign governments and so on. Cyber criminals are getting savvier than ever. They welcome the Internet of Things and the associated vulnerabilities that inherently come with it. As they grow their criminal empire, their funding increases and they get smarter and sometimes even more innovative than the very tech companies they attack.
Cyber risk has grown to a point where it is spanning organized crime groups and syndicates—even politically sponsored hackers. Within corporations, many IT resources are stretched thinly between increased outsourcing taking place and the added burden for IT to also manage cyber risks. Ongoing struggles to keep up and properly manage these growing threat levels are quite likely.
When Internet of Things devices are directly connected to networks, the sheer number of attack vectors increase substantially. A direct corollary lies between low-cost Internet of Things sensors and low security implementation, thus increasing the vulnerabilities to exploit. This situation is of great concern for corporations because as risks increase the legal commitments to customers still remain.
Perhaps a data breach occurs as a result of poor security implementation on an Internet of Things device within a company. Whether the breached company even had a hand in designing or manufacturing the device doesn’t matter. They are still responsible and stand to lose data for millions of customers, face possible regulatory action and incur legal action, all because they failed to secure their networks.
Breaches are costly in fines, lost revenue and, especially, tarnished brands. Rebuilding a brand may take years. In 2015—almost a full year after the initial breach—I discussed this topic on Bloomberg TV regarding Target’s retail breach and what’s next for that organization. I continue to mention this breach today because everyone immediately understands it. Target is still digging itself out of the tarnished brand hole it got themselves into almost three years ago.
CIOs can take the steps necessary to start securing Internet of Things connectivity:
- Get the CEO and board onboard with cybersecurity early—it takes an entire organization.
- Verify security is implemented into Internet of Things sensors at the early stages. Ask manufacturers specific questions: What makes this device secure? Does it have encryption? What kind?
- Perform a comprehensive risk assessment and regular security audits to make sure Internet of Things devices are truly secure. Risk assessment can keep new devices and vulnerabilities from sneaking up. Security audits can verify that no new unsecured Internet of Things sensors have been added without permission or without the team’s knowledge that the CIO or chief security officer (CSO) has put them in place.
- Ensure all third parties, vendors, suppliers, partners and customers are onboard and adhering to the security policies and procedures you have in place. Do not allow wiggle room or a free ride for trusted or go-to partners from the past.
- Establish the crisis plan. No one expects to be breached, but all networks are vulnerable. A media and corporate emergency plan needs to be in place to make fast and reasoned calls. No wait-and-see time limit exists because every minute a company is silent about its breach it loses customers and credibility.
If Internet of Things developers start seriously planning security early on in product development, it will make a significant difference. When more thought is placed on security rather than just price or ease of use, our fears and ultimately our security flaws will be minimized.
Expert discussion on cybersecurity
Can we drive the innovation and possibilities of the Internet of Things while maintaining security?
For answers to these questions and more, take part in a live panel discussion with experts on 24 May 2016 at 11 a.m. ET, where we’ll discuss the impact of the Internet of Things on cybersecurity. Here are some of the key questions to be discussed:
- Why is security for Internet of Things devices often so weak?
- How are hackers exploiting connected devices?
- What can organizations do to better secure their connected devices? What should vendors be doing?
- Who is responsible for securing the smart home? Why?
- Can our connected homes, cars and devices attack us?
- What’s the role of government in ensuring connected devices are secure?
*This blog was originally posted on IBM Big Data & Analytics Hub