If you haven’t noticed the huge ransomware risk that has swept the globe in recent months, you must have been living under a rock. You know all about human error and the importance of internal access segregation, and you’ve probably discussed — and have hopefully implemented — staff training about phishing emails. You’ve likely spoken to your customers about a BYOD (bring your own device) policy, MDM (mobile device management), and putting up big digital walls externally and internally around their data, with little need-to-know doors, the keys to which are held only by the relevant people.
But, according to a new survey of 553 executives published by the Shared Assessments Program, there is one thing companies aren’t asking for. There is a big gaping hole in most companies’ reactive and proactive cyber defence strategies (and if you think it sounds like I’m talking about a wartime siege, it’s because your customers are under attack, and this is a war); and that hole is Internet of Things-shaped.
IoT blind spot
Despite rampant IoT (Internet of Things) -related attacks, 67 percent of businesses are not evaluating IoT security and privacy practices before engaging in a business relationship, with a full 77 percent also admitting to not considering IoT-related risks in third-party due diligence. It’s not surprising then that only 44 percent of companies think their organisation is able to protect their network or enterprise from risky IoT devices.
In fact, most survey respondents appear fatalistic about IoT security. More than three quarters say a DDoS (distributed denial-of-service) attack involving an unsecured IoT device is likely to occur within the next two years. And, it seems commonly understood that this would either destroy or severely jeopardise a business: 94 percent of those surveyed noted that such an attack would be likely to prove catastrophic.
In business today, moving forward with IoT-related projects is pretty much unavoidable. While the technology involved in an IoT project may seem relatively straightforward, the risks that those projects represent can be nothing less than massive.
Levels of vulnerability to attack vary hugely, and risk mitigation is almost impossible; but as we’ve established, you probably already knew this. But contrary to popular belief, that doesn’t mean all is lost.
Management not mitigation
Home truths time: You need to move away from the mindset that cyber security is a problem that can be solved rather than a process that needs to be maintained. Cybercrime is here, and no matter what you do, it’s here to stay. It’s far too lucrative a business for sophisticated criminals to simply give up because we invented a new firewall or phishing defence technology.
The constant state of flux that is the IT industry means everything is up for grabs from both sides of this battle. No matter what cybersecurity experts or you and your team do, there is someone working equally hard on the other side to undo that work.
What you need to know now is what level of specific risk you’ll face when moving an IoT application into production. The first step in determining that risk is, of course, figuring out what types of attacks might be launched.
The bottom line is risk is involved in everything, and adopting technology is no different. If you’re a business executive, you’ll habitually weigh risk versus opportunity, but lengths are always taken to get as good a handle on the risk as possible.
The real issue, of course, is making sure that you and your customers are applying the right calculus for determining those IoT risks.