Cyber Insecurity In Our New World of IoT

I recently attended the Executive Women’s Forum Summit, in New York City, on Unintended Consequences: Internet of Things (IoT) and Big Data which enabled a strategic dialog for information security, risk and privacy professionals navigating today’s changing digital landscape. In this two part blog series, I’d like to start a discussion on how both Big Data and the Internet of Things (IoT) is shaping our approach to both cyber-security and information governance.

The starting word of the data seems to be UBIQUITY – everything is everywhere, everything is becoming connected, and the Internet of Things is introducing more things for security and privacy professionals to monitor and control. How do identify the perimeter when there are no boundaries in an IoT world?

It’s not just technology geeks that are wondering. A recent survey showed that 74% of C-Level executives think IoT will play a larger role in the next 3 years. It is anticipated that there will be 40 to 80 Billion connected devices in next five years. IoT makes life more convenient, but gives threat actors opportunity to exploit in new ways. The bad guys are adapting real time and the technology and layers of third party components make it challenge to see through the fog in the cloud and figure out the right set of policies for both customers and employees. A scary study by Symantec of 60 IoT, found that 19% did not use even basic SSL.

While founding father Benjamin Franklin was a lightning rod of invention, the Internet of Things explosion is becoming a lightning rod to electrify your privacy and security program. Benjamin Franklin was quoted as saying “By failing to prepare you are preparing to fail” and organizations that do not address IoT in their privacy and security policies are setting themselves up for risks of data leakage or data breach. The Internet of Things is putting Cyber Insecurity top of mind due to how challenging it is to think about the potential implications when seemingly benign devices can create a privacy or cyber risk:

  • How do you define a risk profile for LED Smart Lights that can be hacked and black out the lights in a home or place of business?
  • How do you classify and protect data when now farm equipment and tractors can collect data that can be used for understanding future commodity trading potential?
  • What are the risks when TV’s and Blue Ray devices can be vulnerable to Denial of Service Attacks?
  • How do you protect privacy when now even the tire sensors are your car can become mini-geo location devices?
  • How do you protect a car or home that can be vulnerable to hacks that automatically open locked doors?
  • How do you educate consumers in the “Internet of Me” to protect themselves from spear-phishing using data from Data Aggregators?

There are no easy answers to these questions for both consumers who use IoT or systems that are connect. What you can initiate is a review of your current policies, monitoring systems, controls, and initiate an action plan based on how your organization leverages connected devices.

Even the basics steps to security incident response, crisis management and simulations are evolving beyond routine tabletops due to digital evolution and IoT. The next generation of Security Tabletop exercises should be scenario based leveraging recent attacks to guide or direct the scope of the testing. Just like banking regulators are focusing on “stress tests” for fiscal soundness, the security incident and crisis communication needs its own “stress test” in todays’ Internet of Things playground. Conducting both simulations and crisis plans is not just about integration of social media, but practicing complex incidents that may be rooted deep within layers of systems that are connected. Practices and drills should focus on tactics, techniques, and procedures with a risk management focus.

We are starting a new journey due to the Internet of Things that is only just beginning for security and privacy professionals. We have gone well beyond “Bring Your Own Device” – to a world where fraudsters and hackers are finding new ways to “Bring Down That Device.” Each IoT device is collecting data, accessing data, processing data, and we need secure ways to update that device to reduce risks when flaws are found or exploited. Bottom line, it will take time clear up the fear, uncertainty, and doubt for developing privacy and security programs in evolving to incorporate IoT and Big Data. Check in with the next blog that will explore the Data Bloat of Big Data.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs