Robert Clyde Issue: North America I 2016
Article no.: 7
Topic: Six steps to managing IoT risks in the workplace
Author: Robert Clyde
Title: CISM, ISACA International VP &
Board Director
Xbridge Systems, Board Director
Managing Director, Clyde Consulting LLC
Organisation: Information Systems Audit and Control Association (ISACA)
PDF size: 519KB

About author

Robert Clyde, CISM, is international vice president of ISACA, managing director of Clyde Consulting LLC, a director on the Board of Zimbra, a leader in community and collaboration software, and a director on the board of Xbridge Systems, a leader in data discovery software. He chairs a board-level ISACA working group and has served as a member of ISACA’s Strategic Advisory Council, Conference and Education Board and the IT Governance Institute (ITGI) Advisory Panel.
Previously, he was CEO of Adaptive Computing, which provides workload management software for some of the world’s largest cloud, HPC, and Big Data environments. Prior to founding Clyde Consulting, he was chief technology officer (CTO) at Symantec.
Clyde is a frequent speaker at ISACA conferences and for the National Association for Corporate Directors (NACD). He also serves on the industry advisory council for the MIS Department of Utah State University.

Article abstract

Business-to-business use of IoT devices is expected to expand from 1.2 billion in 2015 to 5.4 billion connected devices worldwide by 2020, according to ABI Research for Verizon. The total estimated number of connected IoT devices is expected to top 30 billion worldwide by 2020, according to a recent McKinsey & Company report.
The sheer number of devices and related apps is not the problem, however. The real issue is notoriously poor—if not nonexistent—security measures.
 

Full Article

The Internet of Things (IoT) (e.g., connected phones, watches, thermostats, TVs, fire alarms and much more) offers individuals and enterprises almost unimaginable potential for making the lives of North Americans better and helping businesses succeed on many levels. From an organizational standpoint, however, IoT also is rife with potentially devastating security vulnerabilities.
Many IoT Devices Lack Sufficient Security Measures
Business-to-business use of IoT devices is expected to expand from 1.2 billion in 2015 to 5.4 billion connected devices worldwide by 2020, according to ABI Research for Verizon. The total estimated number of connected IoT devices is expected to top 30 billion worldwide by 2020, according to a recent McKinsey & Company report.
The sheer number of devices and related apps is not the problem, however. The real issue is notoriously poor—if not nonexistent—security measures. IoT security is an issue many IT professionals around the world believe could bring significant consequences to revenue and reputation, if proper security measures are not instituted and followed by business IoT device users. As the popularity of IoT devices explodes, so too will the importance of ensuring mainframe security and data protection. As discussed in an article by Allan Zander, the mainframe will often be used for the background processing for IoT. It is an interesting point that many may not have considered.
Half of the nearly 3,000 North American business and IT professionals surveyed in ISACA’s 2015 IT Risk/Reward Barometer say their IT department is not aware of all of the organization’s connected IoT devices, yet 73 percent believe the likelihood of being hacked through such a device is medium or high. At the same time, 78 percent say that IoT device manufacturers do not implement sufficient security measures. Half of the North American professionals polled said their organization’s bring your own device (BYOD) policy did not address wearable tech. Nearly 20 percent said their organization didn’t even have a BYOD policy.
With such potential, it would be foolish—and potentially devastating to the business—to ban IoT devices from the workplace altogether. What does need to occur is twofold: the makers of smart devices must build data security and privacy controls into their gadgets, and all organizations must ensure their employees are following established parameters and rules around the use of IoT devices at work.
Six ways to make IoT devices safer at work
Here are six suggestions for making IoT devices safer for work use:
1. Network segregation for IoT devices—One of the biggest concerns with IoT connected devices is that, because there are so few security standards typically built into the devices and their apps, they can easily be hacked into, exposing your entire network as well as any other connected devices, to cybercriminals. It is a major concern for businesses. We do not know which devices are safe and protected and which are not, so, it is best to assume most are not. To mitigate this risk, organizations need to use network segregation to completely separate the Wi-Fi or Internet network used by IoT devices from the network that is used for the rest of the business’s systems. Doing this may take away somewhat from IoT conveniences, but that is a small price to pay for protecting your data.

2. Protect passwords and ensure access control—Weak IoT security measures can make it easy for hackers to steal passwords. If the password is for the system controlling a significant infrastructure asset, such as a dam, sewage treatment facility, electrical grid or similar system, it could wreak havoc of epic proportions. This is what people talk about when they use the term Cyber Armageddon.

It happened in Australia, when a disgruntled job applicant caused 800,000 liters of raw sewage to spill into local parks, rivers and a hotel by accessing the treatment system’s computers and altering electronic data that ultimately caused pumping stations to malfunction. North America hasn’t seen that level of physical damage from a hack, but in a recent ‘friendly’ event Washington State National Guard hackers demonstrated that they could hack into a county public utility district computer in just 22 minutes via an email. Additionally, numerous pipeline operators and energy companies throughout North America have been the subject of hacking incidents in recent years.

Imagine a hacker taking out a nation’s energy grid for days. Backup batteries would be depleted, fuel for generators might run out, security systems would go down giving free access to buildings. It is potentially a monumental issue that could cost lives, cause financial ruin, and threaten society’s ability to sustain itself.

Many IoT devices are controlled through the cloud. This is convenient because it can be controlled from and used anywhere, but it also raises security concerns. For example, if an administrative password is stolen en route to the cloud, it could present a serious security problem. Therefore, it is a good idea to place increased importance on monitoring network traffic to ensure passwords are safe as they move to and from the cloud.

3. Security updates/patches—We love to believe we can make things perfect the first time, but the essence of cybersecurity is that there is a third actor—the bad guy—who is as innovative as we are and who is trying to beat us. It is imperative that the security measures of IoT devices be up-to-date. A big part of that is having those updates applied automatically so there is no lag between the issuance of a security update and the actual updates being performed on IoT devices. Automating this process is key.

IoT device manufacturers also need to automatically deploy security patches and updates. It is also critical that when manufacturers add new functionality to an IoT device, it will work in the organization’s environment. Again, it is imperative that security updates be passed through automatically, while making sure that all other features and updates are not automatically updated. This involves a nuanced approach to updates to ensure that there is differentiation between how security patches are updated versus all other updates.

4. Social Media: Make it opt-in—Since tools like Facebook and Twitter do not require new hardware or software from the IT department, they can be easily introduced by a business unit, marketing team or individual employees, bypassing the normal safeguards and risk assessment provided by IT, human resources and the legal department.

A big benefit—and a significant vulnerability—of IoT devices is that they share information with social media. This can result in a number of security risks, including: 1) Increased risk of exposure to viruses and malware; 2) Employee use of company-supplied mobile devices to access social networking sites can result in infection of mobile devices, data theft and data leakage (the unauthorized transfer of classified information from a computer or datacenter); and, 3) The bypassing of enterprise controls.

Employees and consumers may end up inadvertently sharing personal information that could be used to track their activity and location, help steal their identity, or be used against them in some fashion. So any sharing with social media needs to be opt-in, not opt-out. IoT devices should not share by default.

5. The Internet of Sensors—IoT devices are not just passive machines that happen to be connected to the Internet; they are sensor-laden tools that collect data and send it back to the manufacturer through the cloud or Internet. Using big data analytics, the data collected by these IoT sensors can be a very powerful tool that provides a wide variety of significant benefits and also some potential downsides.

For example, using the data collected by sensors, a connected thermostat could recommend settings to improve efficiency and cut heating and cooling costs. There can be a huge social benefit to this sort of use, creating a virtuous cycle in which everyone competes to use less energy. An IoT thermostat can tell you what you need to do to get into the top 30 percent of your area’s most efficient energy users. And when everyone competes, the energy consumption bar continues to rise, helping to further improve a region’s energy efficiency.

However, what if someone wants to learn who the highest energy consumers are? A hacktivist group could find that data (and other information) and publish it.

The Internet of sensors presents some very real security concerns. Companies must be careful what they do with the data, and the devices they produce should only be opt-in for those who want to provide that data. Any data collected also must not identify individuals or companies. The data should be anonymized. Symantec’s antivirus software, for example, provides an opt-in to share individual information that goes to an intel network that ultimately helps make everyone more secure. The information, however, is anonymous, free of identifying data, so that it cannot be traced back to individuals or companies.
6. Develop your cybersecurity workforce and promote a culture of security—With all of these potential IoT security issues it has never been more important to have a skilled cyber workforce and a strong security culture through awareness programs and training. That has been an ongoing challenge.
According to ISACA’s January 2016 Cybersecurity Snapshot of more than 850 U.S. IT professionals, 53 percent with plans to hire expected it would be difficult to find skilled cybersecurity candidates. 59 percent believe it will be difficult to identify who has an adequate level of skills and knowledge. 82 percent would be more likely to hire a cybersecurity job candidate who holds a performance-based certification, such as ISACA’s Cybersecurity Nexus (CSX) training, exams and certifications. CSX’s offerings will go a long way in developing your cybersecurity workforce and culture of security.

Future of IoT very bright
While there are real risks that need to be managed, the future of the IoT in North America and the world could not be brighter or more exciting. As with all technology, it is critical to balance the benefits of IoT devices with the risks. That means taking the necessary steps—as outlined above—to help ensure that your devices, networks and data are secure. If you and your organizations take these steps, you could reap many of the good things IoT can bring and go a long way in preventing many potential security risks.