What the C-suite must know about IoT
In October 2016, a botnet of connected devices (or ‘things’) daisy-chained with the Mirai malware and knocked sites like Twitter, Spotify, and GitHub offline at various times.
As we live in a world where more and more everyday devices – refrigerators, dishwashers, coffee machines and toasters, as well as mobile computing devices like smartphones, tablets and wearables – are connected to other devices. This is the Internet of Things (IoT) and while it’s a source of great convenience and utility (it’s great to be able to turn on your lights, heaters and coffee machine before you get home), it’s also a source of great risk.
When it comes to protecting businesses from IoT-borne threats, the C-suite must take the lead.
The IoT: a triple threat
The IoT gives risk to three principle categories of security risk:
1. Attack by an external IoT army or botnet
2. Attack by your own IoT devices as part of an external army or botnet
3. Attack by your own IoT devices as a vector unconnected with any external sources.
Governance is the key
The structural risk that plagues many businesses today is that IT hardware isn’t only being bought by the IT department anymore. Your facilities team might buy light bulbs with 4G capability; your marketing department might invest in beacons; or your finance team might buy a new printer.
If new devices connect to your network without the IT team’s knowledge, and without any governance, your risk multiplies. This will certainly mitigate the risk of these devices attacking you (or someone else). And it will also help lock them down against external threats.
Directives to this effect – that all IT purchases must be okayed by the IT department and are subject to its oversight (and veto) – must come with a strong mandate from the C-suite if they are to be effective.
Here are some tips for ensuring that your business remains as safe from IoT-based threats as possible:
1. Security first
It’s more than likely that your general manager in charge of purchasing hasn’t had to take a security-first view of purchases before when dealing with formerly benign products. An expensive light bulb might catch their eye because of the cost, but possibly not because of the (internet-connected) security risk it represents. Managers must start thinking about security ahead of any other concerns as they’ll all be irrelevant if the business is breached and its data, operations or products compromised.
2. Training is vital
The IT team should train all employees about what constitutes an IoT device, as different manufacturers use different marketing terms. For example, purchasers should look for references to ‘4G’ or ‘Wi-Fi’ as well as for ‘Internet of Things’.
And it needs to be made clear that there are strong security reasons for exercising caution and oversight. A facilities manager might love the sound of a device that can update its own firmware but might not be aware of the security risk it represents, and the possible consequences of a breach.
3.IT: the all-seeing eye
When anyone in the company heads out to buy an IoT device, they must be made to get IT’s approval. No exceptions.
4. C-suite involvement
All the above measures involve some combination of cost, hierarchy and time. This is where the C-suite needs to be brought on board, because you’re going to be recommending training (costly) and getting involved in other departments’ spending plans (possible turf war).
Those can be difficult matters to advocate, but not as difficult as explaining how a rogue refrigerator on Level 5 helped breach your firewall and leak all your customer data.