From the ‘Internet of Things’ to the ‘Internet of Risks’

The explosion of IoT and ‘smart’ devices is happening – like it or not – and this represents a clear and present cyber-risk for many organisations that are unaware of the latent cybersecurity vulnerabilities that they present. What to do about this expanding cyber risk profile is the question.

According to various IT tech firms and industry analysts,  there will be between 20 Billion and 38 Billion ‘smart’ and IoT devices in use by 2020.

A disconcerting fact is that security researchers estimate that a large percentage of these ‘smart’ devices are insecure.

The explosive uptake of consumer IT devices is testing corporate and government cyber security capabilities, whether through Shadow IT or a formalised BYOD policies.

Fact is, those in the know are starting to raise red flags.

When the army of Smart Devices marches – beware

When a sea of insecure, compromised devices combine to make up a formidable, highly coordinated bot-net globalised army, substantial cyber attacks are becoming increasingly likely, with more to follow.

  • In October 2016, hackers used vulnerabilities in millions of commonly used devices, such as web cameras and internet connected printers to mount a massive denial of service attack on a critical part of the Internet which resulted in major service interruptions to the websites of major companies including Twitter, Amazon, Netflix and others.
  • The discovery of a critical, remotely exploitable vulnerability of millions of IoT and smart devices that utilise a widely uses open source software library.

A denial of service, or data breach is one thing.  When there is loss of life and the destruction of critical infrastructure or theft of corporate assets, the risks are taken to another level.

The IoT cyberrisk will continue to escalate unless a ‘security first’, software patchable approach is taken for all embedded, ‘smart’ IoT devices – period.

‘Security by design’ – What security?

Problem is, the development and sale of many IoT devices fail to take a ‘security-by-design’ approach.

Many – if not most – IoT devices have been developed and sold with time-to-market, sales revenue and innovation beating any security considerations hands down.   The long tail of embedded devices which are not patchable – that is, their ‘smarts’ are burned into the silicon chips – is a real concern going forward.

A number of bipartisan US senators have tabled the Cybersecurity Improvement Act of 2017, which will  force all vendors supplying internet-connected devices to the US government to ensure that they are software patchable.

IoT security 101

Here are a few critical pointers to get you started in the journey of mitigating the cyber risks inherent to IoT, ICS or embedded ‘smart’ technologies:

  1. Identify what needs protecting – that is, any IoT, network enabled or embedded device, which if compromised, will jeopardise your business, or the business of other stakeholders such as suppliers, customers or regulatory. Don’t waste precious effort on trying to protect that which is not important.
  2. Identify if these devices can be protected. For those older (or even new) technologies that cannot be patched  – consider replacement, or firewall these appropriately if replacement is not feasible.
  3. For core or critical devices, seek specific assurances (under NDA if needed) from your hardware supplier.. and their suppliers, for that matter… to assess what layers can and cannot be patched. Then develop, test and implement countermeasures.
  4. Establish ongoing protection regimes for all key IoT devices, backed by cyber security and organisational (i.e. staff behavioural) policies that are regularly assessed for effectiveness.

These 4 pointers are just the start.

After all, all your IoT cybersecurity measures may be undone when your voice activated BoardRoom’s Smart TV allows eavesdropping on your most sensitive commercial or strategic discussions.

Question: What IoT and ‘smart’ device sleeper cells exist in your organisation, and do they present a vulnerability which, when exploited, becomes your business risk?

Time to find out is now.

 

Business short term-ism and digital transformation. What’s driving what?

Recent industry studies confirm that the phenomenon of short term-ism is on the increase.  

Short term-ism describes the focus on short-term business goals at the expense of achieving long-term objectives. This has been shown to undermine organisation’s longer term value creation in certain cases.

Fact is, short term-ism is a …

Continue reading

How to ‘disrupt’ your own organisation without breaking it

Established organisations attempting to become more responsive and fast moving in the face of increasing change and uncertainty, need to overcome their own internal inertia.

How best to approach the challenge of building this continuous, sustainable change capability, that underpins both efficiency and innovation, is key.

In the face of …

Continue reading

Episode 18 – What the IT department can do to prevent data breaches

In this 20 minute presentation Rob offers 7 actionable insights to help educational institutions prepare for the Australian Privacy Amendment (Notifiable Data Breaches) Act 2016 – which comes into effect in February 2018.
[Presentation delivered at EduTech 2017 conference, Sydney]

YouTube video below:

Continue reading

How to setup & lead digital transformation capability

Presented at the University of Technology, Sydney’s DigiSAS Lab Seminar “Adaptive strategic journey management for leading digital transformation“, Rob explores:

Digital transformation scorecard,
The current CIO landscape,
CIOs leading enterprise digital transformation capabilities – why this is important and some of the critical success factors

The audio track …

Continue reading

Episode 15 – Exploring various value and risk factors that make up your organisation’s IT and Digital ecosystems

Rob explores a number of aspects of your digital ecosystem, including IoT, executive’s ‘Digital literacy’ levels, fully utilising your existing IT systems, cyber-security and rapid change. See the non-technical challenges in your organisation’s Digital journey?

or, Subscribe via iTunes

Continue reading

Episode 12 – What’s your IT Department’s role in preventing a data breach

How do organisations and their IT departments rate when it comes to protecting themselves and their organisations against the ever present cyber risks and cyber-crime? The answer is, on average, poorly.

In this episode Rob explores key organisational factors that have an overriding influence on the likelihood of data breaches …

Continue reading

Mandatory data breach reporting legislation and your Australian organisation: BAU?

Australia now joins the list of states and countries which have implemented – or are in the process of  enacting – mandatory data breach legislation.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in February 2017 which applies to organisations that meet specific criteria such as business size …

Continue reading

Forget hackers – Look within to find your greatest cyber risk.

Adverse cyber incidents are occurring with monotonous regularity and are routinely reported in the media. With the list of mega-data breaches increasingly looking like the ‘whose-who’ of the corporate world, what chance do you really have in your business when it comes to the protection of valuable information assets?

While …

Continue reading

Episode 11 – Addressing the cyber-security threat from within your business: Here are 5 takeaways

A rising proportion of data breaches and adverse cyber events are avoidable or self inflicted.  No longer are the majority of cyber threat have their origins coming from outside the organisation, and increasing proportion have their origins stemming from within the organisation – some say in excess of 60%. These …

Continue reading

Episode 10 – Cyber insurance for your business: Consider this when buying your ‘protection’

For business decision makers, striking the right balance between owning or transferring the risk – through cyber insurance – is not as straightforward as it may initially appear.

In this episode, Rob offers 6 key points to consider when taking on cyber insurance

or, Subscribe via iTunes

Continue reading

Episode 9 – IT and Digital vendor management strategies for change

The conventional approach to managing IT vendors may not be adequate in our rapidly changing business environments or in the adoption of your new, emerging and disruptive business technologies.

In this episode Rob explores contracts based on gain-share, vendor ecosystems, managing changing risk appetite over time, and more

 

or, …

Continue reading

Episode 8 – Redefine your SLA for sustainable business results: Strategy, Leadership and Adaptability | Thought Leadership Podcast Series

How do prescriptive SLAs help your organisation in changing environments?

This is especially relevant for IT supply contracts – outsourcing, service provisioning and the like – which may work well for both the vendor / service provider in relatively stable environments.

Problem is, in the digital / technology and IT …

Continue reading

Episode 7 – Is successful business transformation possible without IT’s involvement? | Thought Leadership Podcast Series

The fundamental question for most established organisations is to define what role your IT team are to play in the journey of business transformation.

How this role is defined could be the game changer needed to drive sustainable business value. In this episode Rob shares his perspectives and insights on …

Continue reading

Episode 6 – Actionable insights on how to build a business relevant and sustainable innovation capability within your organisation. | Thought Leadership Podcast Series

What are the critical success factors that determine any established organisation’s transition to developing a sustainable and value-driven innovation capability?

In this episode, Rob shares his insights and explores the topic of how best organisations can build their own innovation capability to deliver sustainable business results – while balancing the …

Continue reading

Episode 5 – Building organisational resilience through team and individual resilience | Thought Leadership Podcast Series

Resilient organisations thrive in the face of rapid and unexpected change. Fact is, versatile leaders and staff underpin versatile teams and organisations able to foster and sustain an innovation culture that translates into business value, not just marketing-speak about ‘innovation’.

In this episode, Rob explores this and offers 3 keys …

Continue reading

Episode 4: Exploring the effectiveness of legislation in our online world, the electronic contract, digital signatures and more | Thought Leadership Podcast Series

How effective is legislation in today’s fast paced digital world?  In many developed countries, there are specific laws governing Online agreements, the use of electronic signatures, your rights to online privacy and mandatory data breach reporting.

Question is: What protections are offered under such laws in our border-less online world …

Continue reading

Episode 3: IoT & your IT department, Leadership, Cyber risk, architecture and more | Thought Leadership Podcast Series

While the business potential for the adoption of IoT and IoT enabled ‘smart devices’ may be clear, the role that your IT department and vendors play in ensuring IoT is not only a success, but does not cripple your business through a cyber attack is less clear.

In this episode, …

Continue reading