Here’s a question for you to deliberate upon:
What’s the biggest technological change surrounding enterprises today? Is it IoT? Artificial intelligence? Or is it virtual reality? There’s machine learning. And we have cognitive computing, and there’s digital transformation as a whole.
Well, we will leave this debate for some other day. This is like debating which comment LaVar Ball has made is the most ridiculous. Now even Dennis Rodman is going after him! When will LaVar Ball stop making irrational statements? That is also a debate for another day! OK, let’s get back on topic!
What we will understand, however, is how all these digital revolutions are accompanied by corresponding IT security issues and challenges for CIOs and CISOs.
The focus on IoT-related IT concerns and issues
IoT, particularly, presents interesting facts. There’s a lot being said about how dozens of billions of “things” will be connected via the Internet by 2020. There’s a lot being said about what it means in terms of device security and user privacy.
Compromised networks, identity thefts, object theft, remote control of your devices, loss of data – everything’s at stake it seems. Let’s attempt to make sense of all the volumes of concerns floating around cybersphere, and understand what matters for CIOs and IT decision makers, in terms of IT security concerns around proliferation of IoT.
Thousands of connected devices means new security challenges
A clear outcome of the IoT revolution is an exponential increase in the number of devices that will be within an enterprise’s network.
A decade ago, an enterprise only had to worry about protecting a few dozen computers (well, perhaps hundreds). Five years ago, smartphones and tablets were added to the ecosystem. And three to four years down the line, we’re staring at the possibility that most physical devices, right from the water cooler to the thermostat will be connected to the network, all a part of the IoT ecosystem.
For enterprises, this has significant implications. Just watch the movie “Blackhat”!
- It increases the attack-surface area, which cyber criminals can exploit, and use to successfully break into the network of the enterprise.
- Because of the direct, and largely physical interaction between employees and enterprise-owned connected things, the control over security best practices will dwindle.
- Depending on the nature of the device, any rogue IT expert who could log in to the device interface, will be able to control its operations.
- Apart from potential loss of data, an IoT cyberattack could quickly escalate into a situation of physical threat for employees (imagine an enterprise’s in-campus shuttle bus running at 40 mph, controlled by a hacker, or some outside force controlling a building’s elevator system, or someone taking control of a large crane over an assembly line while holding a massive part of a plane or ship, and so on).
- Detecting such a security compromise would take time, and leave hackers enough time to inflict significant damage.
- Competing enterprises could hire underground hackers to attempt IoT cyberattacks on another organization, with the aim of disrupting its workday. Now, that is just rotten!
Vulnerabilities created by BYOD
BYOD is thriving. Leading enterprises promote controlled BYOD proliferation, keeping firm control over the security readiness of employees’ devices. In the near future, however, any person working remotely via a firewall-protected personal device will also have a dozen other gadgets and objects connected on the same network.
This means that the device on which office work is being performed will only be as safe as the least-protected device in the IoT cluster of the user, sort of like the way a team is only as good as its worst player or member.
This is not something that enterprise IT departments can’t manage, but it does bring significant challenges, and certainly slows down the progress of IoT for organizations already looking to go aboard the BYOD train.
Are IoT product manufacturers prepared?
The current state of the IoT device manufacturers market is characterized with the focus on speed to market. As a result, IoT startups launch their products and immediately start working on their subsequent concepts and the next version of that product. They know the competition is already gearing to beat their product so they know they will have to upgrade soon. Waiting is just not logical.
Now, take your mind back to when computers first became mainstream. It was because of the exploitation of OS and software vulnerabilities that makers aligned their approach to a method of regular firmware upgrades, to ensure the security readiness of their products.
Only a few IoT startups continued firmware upgrades, which means that their products will, sooner or later, have known vulnerabilities that cyber criminals could exploit. Manufacturers, product engineers, and interface designers would do well to showcase foresight, and ingrain the practice of regular security upgrades for their devices’ software.
Beyond the threat from cyber criminals
Cyber criminals are not the only threats to an enterprise that adopts IoT. There are other lesser-known rogue elements.
IoT product and service providers themselves could as well pose a security threat for enterprises. There is always the risk of the IoT product manufacturer collecting your enterprise’s data, and using it to either plot a cybercrime or share it with cyber criminals. It’s not unheard of for companies to sell data to other firms, which is a blatant breach of an individual’s privacy rights. (Remember the episode of RadioShack auctioning user data in its bankruptcy?)
All this data spread across the enterprise in all sorts of categories could attract nefarious characters who have all sorts of illegal and unrighteous intentions. This could start with underground deals within corporations, and end up with blatant cyberattacks directed at specific data repositories.
Dependence on end users for maintenance of IoT devices
When it comes to workstation computers, enterprise IT has mechanisms to push security updates to these terminals, even if the end user doesn’t comply with IT best practices. When the number of connected devices within the enterprise increases, with each end user interacting with multiple devices every day, this remote control over security updates becomes challenging.
CIOs and CISOs will, hence, need to update operational procedures around device security upgrades. This also means IoT product companies that offer extended support could also take responsibility for updating the security readiness of their devices sold to the enterprise, their customer.
The big picture
IoT is a force that has the potential to change the way humans work to an extent that nobody imagined earlier. The IT security, privacy protection, and data integrity issues it brings, however, require attention, foresight, and action from IT decision makers within enterprises, or their employers could face disruption, chaos, and even worse, violence occurring on their site and on their property.
Photo credit: Shutterstock
