From the ‘Internet of Things’ to the ‘Internet of Risks’

The explosion of IoT and ‘smart’ devices is happening – like it or not – and this represents a clear and present cyber-risk for many organisations that are unaware of the latent cybersecurity vulnerabilities that they present. What to do about this expanding cyber risk profile is the question.

According to various IT tech firms and industry analysts,  there will be between 20 Billion and 38 Billion ‘smart’ and IoT devices in use by 2020.

A disconcerting fact is that security researchers estimate that a large percentage of these ‘smart’ devices are insecure.

The explosive uptake of consumer IT devices is testing corporate and government cyber security capabilities, whether through Shadow IT or a formalised BYOD policies.

Fact is, those in the know are starting to raise red flags.

When the army of Smart Devices marches – beware

When a sea of insecure, compromised devices combine to make up a formidable, highly coordinated bot-net globalised army, substantial cyber attacks are becoming increasingly likely, with more to follow.

  • In August 2017, nearly half a million pacemaker patients in the US were told to visit their doctor to patch a critical hack vulnerability – one that could result in fatalities
  • In October 2016, hackers used vulnerabilities in millions of commonly used devices, such as web cameras and internet connected printers to mount a massive denial of service attack on a critical part of the Internet which resulted in major service interruptions to the websites of major companies including Twitter, Amazon, Netflix and others.
  • The discovery of a critical, remotely exploitable vulnerability of millions of IoT and smart devices that utilise a widely uses open source software library.

A denial of service, or data breach is one thing.  When there is loss of life and the destruction of critical infrastructure or theft of corporate assets, the risks are taken to another level.

The IoT cyberrisk will continue to escalate unless a ‘security first’, software patchable approach is taken for all embedded, ‘smart’ IoT devices – period.

‘Security by design’ – What security?

Problem is, the development and sale of many IoT devices fail to take a ‘security-by-design’ approach.

Many – if not most – IoT devices have been developed and sold with time-to-market, sales revenue and innovation beating any security considerations hands down.   The long tail of embedded devices which are not patchable – that is, their ‘smarts’ are burned into the silicon chips – is a real concern going forward.

A number of bipartisan US senators have tabled the Cybersecurity Improvement Act of 2017, which will  force all vendors supplying internet-connected devices to the US government to ensure that they are software patchable.

IoT security 101

Here are a few critical pointers to get you started in the journey of mitigating the cyber risks inherent to IoT, ICS or embedded ‘smart’ technologies:

  1. Identify what needs protecting – that is, any IoT, network enabled or embedded device, which if compromised, will jeopardise your business, or the business of other stakeholders such as suppliers, customers or regulatory. Don’t waste precious effort on trying to protect that which is not important.
  2. Identify if these devices can be protected. For those older (or even new) technologies that cannot be patched  – consider replacement, or firewall these appropriately if replacement is not feasible.
  3. For core or critical devices, seek specific assurances (under NDA if needed) from your hardware supplier.. and their suppliers, for that matter… to assess what layers can and cannot be patched. Then develop, test and implement countermeasures.
  4. Establish ongoing protection regimes for all key IoT devices, backed by cyber security and organisational (i.e. staff behavioural) policies that are regularly assessed for effectiveness.

These 4 pointers are just the start.

After all, all your IoT cybersecurity measures may be undone when your voice activated BoardRoom’s Smart TV allows eavesdropping on your most sensitive commercial or strategic discussions.

Question: What IoT and ‘smart’ device sleeper cells exist in your organisation, and do they present a vulnerability which, when exploited, becomes your business risk?

Time to find out is now.

 

Business short term-ism and digital transformation. What’s driving what?

Recent industry studies confirm that the phenomenon of short term-ism is on the increase.  

Short term-ism describes the focus on short-term business goals at the expense of achieving long-term objectives. This has been shown to undermine organisation’s longer term value creation in certain cases.

Fact is, short term-ism is a …

Continue reading

How to ‘disrupt’ your own organisation without breaking it

Established organisations attempting to become more responsive and fast moving in the face of increasing change and uncertainty, need to overcome their own internal inertia.

How best to approach the challenge of building this continuous, sustainable change capability, that underpins both efficiency and innovation, is key.

In the face of …

Continue reading

How to setup & lead digital transformation capability

Presented at the University of Technology, Sydney’s DigiSAS Lab Seminar “Adaptive strategic journey management for leading digital transformation“, Rob explores:

Digital transformation scorecard,
The current CIO landscape,
CIOs leading enterprise digital transformation capabilities – why this is important and some of the critical success factors

The audio track …

Continue reading

Best practices to mitigate data breach risk

Data Breach Risk is real, and of increasing concern to business leaders, regulators and customers.

Audio of Rob Livingstone’s presentation  at Trend Micro’s Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia’s new Mandatory Data Breach Notification legislation.

Narrated slides also available in YouTube:

Also available on Slideshare:…

Continue reading

Mandatory data breach reporting legislation and your Australian organisation: BAU?

Australia now joins the list of states and countries which have implemented – or are in the process of  enacting – mandatory data breach legislation.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in February 2017 which applies to organisations that meet specific criteria such as business size …

Continue reading

Forget hackers – Look within to find your greatest cyber risk.

Adverse cyber incidents are occurring with monotonous regularity and are routinely reported in the media. With the list of mega-data breaches increasingly looking like the ‘whose-who’ of the corporate world, what chance do you really have in your business when it comes to the protection of valuable information assets?

While …

Continue reading

The role of the data and analytics driven CFO in the new world Big Data and Analytics

The data driven organisation is becoming the game changer for society. Similarly, the analytics and data driven CFO can be the game changer for your organisation.

Never before in recorded human history has it been possible to access massive amounts of data and information on demand – and from anywhere.  …

Continue reading

Your Online Agreement: Got it all wrapped up?

The Online Agreement (and contract) underpins the online consumer and business world. If your organisation is offering online services to its customers or is using other’s online services, understanding its implications for you and your business is key. That is, if you are concerned about good governance, data jurisdiction, risk …

Continue reading

IT project failure? How bad news might just save your project and business

Organisations attempts at successfully implementing IT projects continue to struggle and fail.  Industry research indicates that large IT projects are typically 45% over budget and deliver 56% less business value than originally promised.  There are a whole raft of reasons contributing to these poor results. In this article I would …

Continue reading

Innovation – Forget the hype. What exactly does this look like for your business?

It goes without saying (but I’ll say it anyway), innovation appears to be the dominant ideology at the moment – and especially for those businesses wrangling with digital technologies in their attempts to remain competitive.

Whether Malcolm Turnbull’s ‘Ideas Boom’,  U.S. White House or China’s President Xi – we are …

Continue reading

Three ways to build an innovation capability into your organisation

Despite the explosive rate of innovative transformation in our world, how established organisations innovate themselves is another matter altogether. Establishing a sustainable innovation capability and culture into your organisation is no easy task for established organisations. That’s a fact, despite the hype.

The string of defunct or struggling organisations such …

Continue reading

SLA redefined for real results: Strategy, Leadership and Adaptability?

The SLA (Service Level Agreement) underpins vendor supply  arrangements.

In a predictable world, SLAs make good sense.   You just want your suppliers to live up to their agreed commitments. With good justification. One would hope that the SLAs relating to airline safety are  adhered to next time you fly.

So, …

Continue reading

Adapting for success: Efficiency, innovation or both?

Question: How do established organisations ‘Innovate’?   The answer is, for the most part, – ‘With Difficulty’

To successfully innovate within established organisations is no trivial task,  made more challenging where innovation has never been part of the organisation’s culture or strategy.

Innovation means different things to different people, and is …

Continue reading

Leadership gaps in the new world of Digital and IT

Why are some organisations able to remain innovative, successful, viable and adaptable despite all that gets thrown at them?  Simply put, it all comes down to leadership capability.

That new and innovative digital technologies continue to disrupt and reshape industries and organisations is old news.

What is news is …

Continue reading

Cybersecurity balancing act: Digitising your business in the face of uncertainty

As organisations face the inevitability of ‘digitisation’, the challenge of ensuring effective cybersecurity protections for your business is not becoming any easier.

The messages being sent by a range of global consulting, analyst and technology vendor organisations – not to mention regulatory and government agencies – are consistent and increasingly …

Continue reading