CIO Magazine recently distributed an email promoting its “FutureEdge 50 Awards” with a playfully sinister line: I know what you did last summer… in IT… during the pandemic. Now get rewarded for your work.
The plug is a reference to the campy late-‘90s slasher flick. The award recognizes organizations for “pushing the edge with new technologies to advance their business for the future.” Thanks to 2020’s massive work-from-anywhere (WFA) migration and ever-increasing digitalization, most organizations are pushing the edge when it comes to adopting new technologies, including those related to the Internet of Things (IoT).
Unfortunately, the accelerating pace of IoT usage inside companies and among their vendors frequently extends far beyond the boundaries of prudent data security and third party risk management practices. The challenge in not keeping up could pose some spine-tingling IoT scenes in the coming months.
The best way to avoid these horror scenes is by closing IoT awareness and security knowledge gaps. In the past six months or so, we’ve witnessed some commendable efforts to acquire and benchmark IoT security practices in more industries. The Shared Assessments and Ponemon Institute was able to share the results of our “Third Party IoT Risk Management – The Critical Need to Elevate Accountability, Authority and Engagement” survey report with the CISOs and other members of the Retail and Hospitality – Information Security Analysis Center (RH-ISAC) and the Automobile – Information Security Analysis Center (Auto-ISAC), which are focused on raising the awareness and mitigation of IoT related security risks. More awareness, discussion, collaboration, consumer education and solutions across all industries is needed.
The following trends and issues serve as pivot points for supply chain and third party risk management (TPRM) professionals looking to boost their IoT security knowledge – and their company’s capabilities:
- IoT adoption cuts across all industries: When it comes to IoT adoption a few industries seem like they are light years ahead of others. retail, hospitality, consumer goods and car manufacturers, for example, are currently figuring out how to integrate miniature satellites – known as “cubesats” or “nanosats” – into their networks. This extraterrestrial IoT capability will give logistics providers real-time visibility into the precise location of specific shipping containers even as they cross oceans. Other industries may not have hit upon such space-age use cases just yet, but companies of all sizes in most industries continue to access more and more data from sensors embedded in a growing collection of devices, machinery, buildings and other hosts. “No industry is immune from IoT risks,” notes Rocco Grillo, managing director of global cyber risk services for Alvarez & Marsal. While the proliferation and consumerization of embedded technology, including IoT devices, continues to evolve at a rampant pace, new security vulnerabilities and exposures are continually introduced.”
- Tone at the top and funding are crucial enablers: A pervasive lack of IoT risk management understanding and involvement among boards of directors and senior executive teams figures as one of the largest impediments to improvement, according to the Third Party Internet of Things (IoT) Risk Management study. While boards and C-suites tend to get engaged after their company endures a costly cyber breach due to a IoT security breakdown, information security teams and TPRM groups should pressure senior leaders to engage before a breakdown occurs. “You need that proverbial tone at the top – that governance and executive sponsorship – to make this work,” Grillo notes. He also challenges TPRM and cybersecurity teams to make the case for more IoT risk management funding and headcount by sharing survey data and news reports of IoT security lapses with senior leaders. If that sounds like a hard sell, Grillo suggests taking an instructive glimpse into the rear-view mirror: “How many companies had a comprehensive third party risk management program 10 years ago?”
- Tactical improvements should target segmentation and micro-segmentation: Organizations with effective IoT risk management program bolster their security with network segmentation. The approach splits their networks into smaller subsections to equip security teams with more visibility into and control over the flow of data between devices and systems. By adding virtual local area networks (VLANs) to the mix and adjusting firewalls, organizations can further separate IoT access from IT assets – activities that a Palo Alto Networks – Unit 42 IoT threat report identifies as a key driver of IoT security improvement. According to that report, however, companies continue to struggle to implement and improve leading IoT security practices: 24% percent of responding IT leaders indicate that their companies have not yet segmented IoT devices onto a network separate from the one they use for primary devices and critical business applications. That’s a problem, according to Larry Ponemon of The Ponemon Institute. “The keyword is no longer segmentation — it’s microsegmentation,” he points out. Relatively few organizations have introduced the new term to their lexicons, notes Palo Alto Networks Vice President, Threat Intelligence (Unit 42) Ryan Olson. Olson points to the fact that only 21% of IT decision-makers surveyed by his company have implemented microsegmentation to contain IoT devices in tightly controlled security zones. Prior to conducting network microsegmentations, organizations need to gain visibility into the expanding collection of IoT devices on their networks and within their third parties. Other basic IoT security steps can also help notch significant gains, including three identified in the Palo Alto Networks report: adopting secure password practices, completing security patches and software updates when available and continuously monitoring IoT devices.
These steps are much easier to execute when boards and executive teams understand the nature of IoT security risks – something that can be accomplished by sharing impactful stories and startling real-world IoT related incidents.