The explosion of IoT and ‘smart’ devices is happening – like it or not – and this represents a clear and present cyber-risk for many organisations that are unaware of the latent cybersecurity vulnerabilities that they present. What to do about this expanding cyber risk profile is the question.
According to various IT tech firms and industry analysts, there will be between 20 Billion and 38 Billion ‘smart’ and IoT devices in use by 2020.
A disconcerting fact is that security researchers estimate that a large percentage of these ‘smart’ devices are insecure.
The explosive uptake of consumer IT devices is testing corporate and government cyber security capabilities, whether through Shadow IT or a formalised BYOD policies.
Fact is, those in the know are starting to raise red flags.
When the army of Smart Devices marches – beware
When a sea of insecure, compromised devices combine to make up a formidable, highly coordinated bot-net globalised army, substantial cyber attacks are becoming increasingly likely, with more to follow.
- In October 2016, hackers used vulnerabilities in millions of commonly used devices, such as web cameras and internet connected printers to mount a massive denial of service attack on a critical part of the Internet which resulted in major service interruptions to the websites of major companies including Twitter, Amazon, Netflix and others.
- The discovery of a critical, remotely exploitable vulnerability of millions of IoT and smart devices that utilise a widely uses open source software library.
A denial of service, or data breach is one thing. When there is loss of life and the destruction of critical infrastructure or theft of corporate assets, the risks are taken to another level.
The IoT cyberrisk will continue to escalate unless a ‘security first’, software patchable approach is taken for all embedded, ‘smart’ IoT devices – period.
‘Security by design’ – What security?
Problem is, the development and sale of many IoT devices fail to take a ‘security-by-design’ approach.
Many – if not most – IoT devices have been developed and sold with time-to-market, sales revenue and innovation beating any security considerations hands down. The long tail of embedded devices which are not patchable – that is, their ‘smarts’ are burned into the silicon chips – is a real concern going forward.
A number of bipartisan US senators have tabled the Cybersecurity Improvement Act of 2017, which will force all vendors supplying internet-connected devices to the US government to ensure that they are software patchable.
IoT security 101
Here are a few critical pointers to get you started in the journey of mitigating the cyber risks inherent to IoT, ICS or embedded ‘smart’ technologies:
- Identify what needs protecting – that is, any IoT, network enabled or embedded device, which if compromised, will jeopardise your business, or the business of other stakeholders such as suppliers, customers or regulatory. Don’t waste precious effort on trying to protect that which is not important.
- Identify if these devices can be protected. For those older (or even new) technologies that cannot be patched – consider replacement, or firewall these appropriately if replacement is not feasible.
- For core or critical devices, seek specific assurances (under NDA if needed) from your hardware supplier.. and their suppliers, for that matter… to assess what layers can and cannot be patched. Then develop, test and implement countermeasures.
- Establish ongoing protection regimes for all key IoT devices, backed by cyber security and organisational (i.e. staff behavioural) policies that are regularly assessed for effectiveness.
These 4 pointers are just the start.
After all, all your IoT cybersecurity measures may be undone when your voice activated BoardRoom’s Smart TV allows eavesdropping on your most sensitive commercial or strategic discussions.
Question: What IoT and ‘smart’ device sleeper cells exist in your organisation, and do they present a vulnerability which, when exploited, becomes your business risk?
Time to find out is now.
Recent industry studies confirm that the phenomenon of short term-ism is on the increase.
Short term-ism describes the focus on short-term business goals at the expense of achieving long-term objectives. This has been shown to undermine organisation’s longer term value creation in certain cases.
Fact is, short term-ism is a …
Established organisations attempting to become more responsive and fast moving in the face of increasing change and uncertainty, need to overcome their own internal inertia.
How best to approach the challenge of building this continuous, sustainable change capability, that underpins both efficiency and innovation, is key.
In the face of …
In this 20 minute presentation Rob offers 7 actionable insights to help educational institutions prepare for the Australian Privacy Amendment (Notifiable Data Breaches) Act 2016 – which comes into effect in February 2018.
[Presentation delivered at EduTech 2017 conference, Sydney]
YouTube video below:
Presented at the University of Technology, Sydney’s DigiSAS Lab Seminar “Adaptive strategic journey management for leading digital transformation“, Rob explores:
Digital transformation scorecard,
The current CIO landscape,
CIOs leading enterprise digital transformation capabilities – why this is important and some of the critical success factors
The audio track …
Data Breach Risk is real, and of increasing concern to business leaders, regulators and customers.
Audio of Rob Livingstone’s presentation at Trend Micro’s Executive briefing events Sydney and Melbourne 5-6 June 2017 on Australia’s new Mandatory Data Breach Notification legislation.
Narrated slides also available in YouTube:
Also available on Slideshare:…
Rob explores a number of aspects of your digital ecosystem, including IoT, executive’s ‘Digital literacy’ levels, fully utilising your existing IT systems, cyber-security and rapid change. See the non-technical challenges in your organisation’s Digital journey?
or, Subscribe via iTunes
Shadow IT – a term used to describe the use of IT / Digital / Cloud systems by individuals and parts of the organisation without the appropriate oversight – can add overall IT cost, increase complexity, elevate business risk and more. The business benefits may be substantial if handled correctly.…
Rob explores a range of business, organisational and governance factors that will ensure IT departments are able to incubate business relevant innovation to drive and deliver sustainable business value
or, Subscribe via iTunes
How do organisations and their IT departments rate when it comes to protecting themselves and their organisations against the ever present cyber risks and cyber-crime? The answer is, on average, poorly.
In this episode Rob explores key organisational factors that have an overriding influence on the likelihood of data breaches …
Australia now joins the list of states and countries which have implemented – or are in the process of enacting – mandatory data breach legislation.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in February 2017 which applies to organisations that meet specific criteria such as business size …
Adverse cyber incidents are occurring with monotonous regularity and are routinely reported in the media. With the list of mega-data breaches increasingly looking like the ‘whose-who’ of the corporate world, what chance do you really have in your business when it comes to the protection of valuable information assets?
In this initial episode, Rob Livingstone and Dr Asif Gill provide a brief overview and background to the series…
A rising proportion of data breaches and adverse cyber events are avoidable or self inflicted. No longer are the majority of cyber threat have their origins coming from outside the organisation, and increasing proportion have their origins stemming from within the organisation – some say in excess of 60%. These …
For business decision makers, striking the right balance between owning or transferring the risk – through cyber insurance – is not as straightforward as it may initially appear.
In this episode, Rob offers 6 key points to consider when taking on cyber insurance
or, Subscribe via iTunes
The conventional approach to managing IT vendors may not be adequate in our rapidly changing business environments or in the adoption of your new, emerging and disruptive business technologies.
In this episode Rob explores contracts based on gain-share, vendor ecosystems, managing changing risk appetite over time, and more
How do prescriptive SLAs help your organisation in changing environments?
This is especially relevant for IT supply contracts – outsourcing, service provisioning and the like – which may work well for both the vendor / service provider in relatively stable environments.
Problem is, in the digital / technology and IT …
The fundamental question for most established organisations is to define what role your IT team are to play in the journey of business transformation.
How this role is defined could be the game changer needed to drive sustainable business value. In this episode Rob shares his perspectives and insights on …
What are the critical success factors that determine any established organisation’s transition to developing a sustainable and value-driven innovation capability?
In this episode, Rob shares his insights and explores the topic of how best organisations can build their own innovation capability to deliver sustainable business results – while balancing the …
Resilient organisations thrive in the face of rapid and unexpected change. Fact is, versatile leaders and staff underpin versatile teams and organisations able to foster and sustain an innovation culture that translates into business value, not just marketing-speak about ‘innovation’.
In this episode, Rob explores this and offers 3 keys …