The explosion of IoT and ‘smart’ devices is happening – like it or not – and this represents a clear and present cyber-risk for many organisations that are unaware of the latent cybersecurity vulnerabilities that they present. What to do about this expanding cyber risk profile is the question.
According to various IT tech firms and industry analysts, there will be between 20 Billion and 38 Billion ‘smart’ and IoT devices in use by 2020.
A disconcerting fact is that security researchers estimate that a large percentage of these ‘smart’ devices are insecure.
The explosive uptake of consumer IT devices is testing corporate and government cyber security capabilities, whether through Shadow IT or a formalised BYOD policies.
Fact is, those in the know are starting to raise red flags.
When the army of Smart Devices marches – beware
When a sea of insecure, compromised devices combine to make up a formidable, highly coordinated bot-net globalised army, substantial cyber attacks are becoming increasingly likely, with more to follow.
- In August 2017, nearly half a million pacemaker patients in the US were told to visit their doctor to patch a critical hack vulnerability – one that could result in fatalities
- In October 2016, hackers used vulnerabilities in millions of commonly used devices, such as web cameras and internet connected printers to mount a massive denial of service attack on a critical part of the Internet which resulted in major service interruptions to the websites of major companies including Twitter, Amazon, Netflix and others.
- The discovery of a critical, remotely exploitable vulnerability of millions of IoT and smart devices that utilise a widely uses open source software library.
A denial of service, or data breach is one thing. When there is loss of life and the destruction of critical infrastructure or theft of corporate assets, the risks are taken to another level.
The IoT cyberrisk will continue to escalate unless a ‘security first’, software patchable approach is taken for all embedded, ‘smart’ IoT devices – period.
‘Security by design’ – What security?
Problem is, the development and sale of many IoT devices fail to take a ‘security-by-design’ approach.
Many – if not most – IoT devices have been developed and sold with time-to-market, sales revenue and innovation beating any security considerations hands down. The long tail of embedded devices which are not patchable – that is, their ‘smarts’ are burned into the silicon chips – is a real concern going forward.
A number of bipartisan US senators have tabled the Cybersecurity Improvement Act of 2017, which will force all vendors supplying internet-connected devices to the US government to ensure that they are software patchable.
IoT security 101
Here are a few critical pointers to get you started in the journey of mitigating the cyber risks inherent to IoT, ICS or embedded ‘smart’ technologies:
- Identify what needs protecting – that is, any IoT, network enabled or embedded device, which if compromised, will jeopardise your business, or the business of other stakeholders such as suppliers, customers or regulatory. Don’t waste precious effort on trying to protect that which is not important.
- Identify if these devices can be protected. For those older (or even new) technologies that cannot be patched – consider replacement, or firewall these appropriately if replacement is not feasible.
- For core or critical devices, seek specific assurances (under NDA if needed) from your hardware supplier.. and their suppliers, for that matter… to assess what layers can and cannot be patched. Then develop, test and implement countermeasures.
- Establish ongoing protection regimes for all key IoT devices, backed by cyber security and organisational (i.e. staff behavioural) policies that are regularly assessed for effectiveness.
These 4 pointers are just the start.
After all, all your IoT cybersecurity measures may be undone when your voice activated BoardRoom’s Smart TV allows eavesdropping on your most sensitive commercial or strategic discussions.
Question: What IoT and ‘smart’ device sleeper cells exist in your organisation, and do they present a vulnerability which, when exploited, becomes your business risk?
Time to find out is now.
Recent industry studies confirm that the phenomenon of short term-ism is on the increase.
Short term-ism describes the focus on short-term business goals at the expense of achieving long-term objectives. This has been shown to undermine organisation’s longer term value creation in certain cases.
Fact is, short term-ism is a …
Established organisations attempting to become more responsive and fast moving in the face of increasing change and uncertainty, need to overcome their own internal inertia.
How best to approach the challenge of building this continuous, sustainable change capability, that underpins both efficiency and innovation, is key.
In the face of …
Presented at the University of Technology, Sydney’s DigiSAS Lab Seminar “Adaptive strategic journey management for leading digital transformation“, Rob explores:
Digital transformation scorecard,
The current CIO landscape,
CIOs leading enterprise digital transformation capabilities – why this is important and some of the critical success factors
The audio track …
Data Breach Risk is real, and of increasing concern to business leaders, regulators and customers.
Audio of Rob Livingstone’s presentation at Trend Micro’s Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia’s new Mandatory Data Breach Notification legislation.
Narrated slides also available in YouTube:
Also available on Slideshare:…
Australia now joins the list of states and countries which have implemented – or are in the process of enacting – mandatory data breach legislation.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in February 2017 which applies to organisations that meet specific criteria such as business size …
Adverse cyber incidents are occurring with monotonous regularity and are routinely reported in the media. With the list of mega-data breaches increasingly looking like the ‘whose-who’ of the corporate world, what chance do you really have in your business when it comes to the protection of valuable information assets?
The data driven organisation is becoming the game changer for society. Similarly, the analytics and data driven CFO can be the game changer for your organisation.
Never before in recorded human history has it been possible to access massive amounts of data and information on demand – and from anywhere. …
Business leaders are now spoilt for choice when it comes to the selection and adoption of new technologies for their organisations – or so it seems.
The widespread prevalence of the Shadow IT phenomenon is proof positive that the organisation’s own IT departments are no longer are the sole source …
The Online Agreement (and contract) underpins the online consumer and business world. If your organisation is offering online services to its customers or is using other’s online services, understanding its implications for you and your business is key. That is, if you are concerned about good governance, data jurisdiction, risk …
Shadow IT – a term used to describe the proliferation of locally implemented IT systems without enterprise governance oversight – is a now fact of life in most organisations. Problem is that the benefits and risks of shadow IT can both be significant.
Shadow IT may fill a local business …
Organisations attempts at successfully implementing IT projects continue to struggle and fail. Industry research indicates that large IT projects are typically 45% over budget and deliver 56% less business value than originally promised. There are a whole raft of reasons contributing to these poor results. In this article I would …
Cyber insurance is becoming big business. According to one recent global industry survey, business cyber incidents rank third highest of the top 10 Global Business Risks for 2016, up 17% on the previous year.
This increase should come as no surprise to business leaders or industry bodies as the wholesale …
It goes without saying (but I’ll say it anyway), innovation appears to be the dominant ideology at the moment – and especially for those businesses wrangling with digital technologies in their attempts to remain competitive.
Whether Malcolm Turnbull’s ‘Ideas Boom’, U.S. White House or China’s President Xi – we are …
Despite the explosive rate of innovative transformation in our world, how established organisations innovate themselves is another matter altogether. Establishing a sustainable innovation capability and culture into your organisation is no easy task for established organisations. That’s a fact, despite the hype.
The string of defunct or struggling organisations such …
The SLA (Service Level Agreement) underpins vendor supply arrangements.
In a predictable world, SLAs make good sense. You just want your suppliers to live up to their agreed commitments. With good justification. One would hope that the SLAs relating to airline safety are adhered to next time you fly.
Would you invest in a business that had compromised corporate governance? What about a supplier of critical products or services?
More importantly, viewed through the eyes of your customers, what value do you put on ‘trust’ – that which results from effective internal c0ntrols?
These and similar questions are frequently …
Question: How do established organisations ‘Innovate’? The answer is, for the most part, – ‘With Difficulty’
To successfully innovate within established organisations is no trivial task, made more challenging where innovation has never been part of the organisation’s culture or strategy.
Innovation means different things to different people, and is …
Why are some organisations able to remain innovative, successful, viable and adaptable despite all that gets thrown at them? Simply put, it all comes down to leadership capability.
That new and innovative digital technologies continue to disrupt and reshape industries and organisations is old news.
What is news is …
As organisations face the inevitability of ‘digitisation’, the challenge of ensuring effective cybersecurity protections for your business is not becoming any easier.
The messages being sent by a range of global consulting, analyst and technology vendor organisations – not to mention regulatory and government agencies – are consistent and increasingly …