Blogpost

5 Drivers of IoT Risks

In 1969, two programmers took a step that ultimately generated bigger leaps for humankind than the moon landing.

On Oct. 29, 1969, a coder in Los Angeles transmitted via a basic computer network a briefer than expected digital message to his partner at the Stanford Research Institute in Menlo Park. Intending to type the phrase “LOGIN,” the programmer in L.A. made it to “O” before his program crashed. Still, his buddy successfully received a rudimentary e-mail reading “LO.” The event marked the first communication over a computer network (ARAPANET), and the reason why we mark National Internet Day on Oct. 29.

It is useful to remember that the Internet got off to a slow (dial-up modems), difficult (“You’ve Got Mail”), and frumpish (text-only chat rooms on hefty green-screened desktops) start – one that was initially heavy on hype (Webvan) and setbacks (the dot.com crash). Those obstacles have since been eclipsed by a procession of eye-popping digital transformations and innovations (e-commerce, streaming video, social media, doorbell cams, video-conferencing, telemedicine, and way more) along with the dizzying mix of value, benefits, and risks each Internet-related advance introduces.

In 2021, Internet of Things (IoT) advancements are producing a set of bewildering capabilities along with associated risks that need to be managed by individuals, companies, and their third parties. However, in most organizations, these needs are not being met. An overarching problem, note Shared Assessments’ Senior Advisor, Charlie Miller, is that organizational IoT risk identification and management remains comparatively immature as the use of IoT technology by outsourcers and third parties rapidly increases. Miller, who for years has guided Shared Assessments’ IoT risk survey research, points to five factors currently hindering IoT risk management capabilities:

 

1. Remote work greatly expanded IoT attack surface.

The massive migration to home offices that the COVID-19 pandemic triggered has given bad actors a new trove of vulnerable back doors into corporate networks. Baby monitors, smart speakers, connected thermostats, doorbell cameras, and other IoT devices in the home share network access with laptops, tablets, and cellphones that are also connected to the corporate networks of home-based workers. “The attack surface has increased exponentially,” Miller notes. “A cyber-attacker can go after my thermostat to get malware onto my laptop, and that malware can reach my corporate network if I don’t have the right safeguards in place.”

 

2. IoT risk management has become personal.

Do you know the password to your home Internet router? (Hint: it’s probably not the same phrase as your Wi-Fi password.) If you don’t know, the answer is likely “admin” or “root” – the default passwords manufacturers attach to routers. Hackers know these default passwords, which is why all consumers should change them on a regular basis (but rarely do so) or when activating a new router. “With so many people working from home,” Miller notes, “individuals need to take a more proactive approach to cybersecurity hygiene because it has impacts on their safety and company’s cybersecurity.”

 

3. New regulatory requirements.

State and federal regulators are becoming more aware of the risks posed by IoT sensors and connectivity. Other, broader cybersecurity rules that appear likely to materialize soon may affect how – and how quickly – companies publicly disclose the cyber breaches, including IoT security lapses, they experience.

 

4. IoT innovations continue to proliferate.

“The new IoT use cases are staggering,” Miller asserts, running down a list of applications that includes connected factories, smart farming, self-driving vehicles, usage-based pricing, virtual reality, smart cities, and a lot more. “The growing use of 5G and Wi-Fi 6 will generate more investments and innovations. We’re only going to see IoT used in more places where the technology has never been used before. This means that new security protocols and controls will be needed.”

 

5. IoT adoption and usage is outpacing IoT risk management.

A June 2020 research report on IoT risks conducted by Shared Assessments and the Ponemon Institute found that almost nine of 10 survey respondents expected to experience a cyber-attack or data breach caused by unsecured IoT devices or applications in the next two years; more than three-quarters of respondents indicated that third party IoT risks pose a “serious threat to high-value data assets.” The research concluded that “IoT risk management capabilities in the workplace and among third parties still require significant upgrades across all industries and within nearly all companies.” While many outsourcers and third parties have invested substantial time, money, and brainpower in improving IoT risk management in the past 14 months, significant upgrades are still needed today, Miller reports. “Too many organizations do not know what IoT devices they have installed and what IoT risks exist within their third parties,” he says. “It’s crucial to identify those IoT devices and the risks they pose.”

 

Conclusion

As daunting a task as IoT risk management appears to be right now, keep in mind that technological advancements rarely advance smoothly or steadily. Who would have thought back in October 2002 – when the Nasdaq had plummeted 78% from its peak in March 2000 high — that every organization across all industries would soon enough become a data-driven technology company?

A healthy way to celebrate Internet Day this year would be to re-launch efforts to identify and manage IoT risk lurking in your organization and throughout your third party ecosystem.

 

Additional information on IoT risks:

 

Blog Footer Cybersecurity