As the enterprise relies more on connected tech, risk management is a top concern
Globally, the number of Internet-connected devices, or the Internet of Things (IoT), is booming. As more and more data is being generated than ever before, businesses are finding ways to derive meaning from that data to form a complete picture of their operations. At the same time, organizations must be vigilant in protecting sensitive data to avoid becoming an easy target for attackers.
Capabilities around IoT security vary wildly. Cybersecurity experts say many organizations are woefully underprepared to prevent threats to data posed by cybercriminals.
The good news is that’s all changing. While the US government is largely absent in this area of consumer protection, the state of California has recently stepped in and started regulating IoT devices sold in the state — and it’s predicted that the effects will soon be felt worldwide. California’s new law, which will take effect in January 2020, requires all connected devices to have a "reasonable security feature." One clear change is that default passwords will no longer be allowed, which should be standard practice anyway.
Looking ahead to 2019, leaders from OpSense and Senseware recently invited Grant Elliott, President and CEO of Ostendio, a provider of cybersecurity and risk management solutions, to offer guidance to a DC-based group of IoT executives.
Elliott provided insight into the current threat landscape and how organizations can better protect themselves in the datacenter and at the edge:
Current Threat Level: High
Modern cybercrime is big business. Nowadays, it’s not just lone hackers creating attacks, but organized crime, cyberterrorists, and nation-states are in on the action too. With the advent of machine learning and artificial intelligence, the next generation of malicious actors are scanning the landscape with highly sophisticated tools, looking for any vulnerabilities.
“Why do people hack companies?” asked Elliott. “Because that’s where the data is.” He noted how crypto-jacking kits can be bought for cheap on the dark web, allowing hackers to infect machines and easily mine bitcoin.
It’s clear that IoT vulnerabilities are plentiful — and we can’t afford to have weak security measures inhibit the opportunities that IoT can deliver.
Assess Your Risk
According to Elliott, the top questions a security auditor will ask are: “Do you know what data you have? Has it been classified? Who has access, and do you trust them?”
Performing regular vulnerability tests to assess the risk of connected devices will help assure that there are no gaps in the security landscape. Understanding which threats you are exposed to will help guide your response strategy.
Vet Employees and Vendors
The common thread in most hacks is people, not tech. Examples include employees who open phishing emails disguised as coming from HR, disgruntled former employees who decide to leave a “gift” as they depart the company, or simply a contractor who may be a little laxer with security protocol (i.e., Target's massive 2013 breach).
“When you’re on-boarding, do you know what systems you’re giving access to?” asked Elliott. One participant shared a story of how he still had admin access to an organization’s cloud-based DNS service four years after working there.
Encrypt and Authenticate
Organizations using connected devices should make sure that all data is encrypted at rest and in transit. Make end-to-end encryption a product requirement to ensure this key security feature is implemented in all of your IoT projects.
Review all of the connections being made to your device, including digital and human, to ensure authentication schemes only allow trusted connections to your IoT device. Especially before transferring or receiving data, or updating software. Using digital certificates helps to provide seamless authentication with binded identities tied to distinct protocols.
Make Security Part of Your Culture
Security is not a destination. You’re never going to be risk-free. It’s imperative that the C-suite drive cybersecurity culture throughout the organization.
Understand the flow of data throughout your organization. Limit customer network, data, and device access to select authorized employees.
Implement continuous training and compliance exercises. “Your staff want to be trained, it makes them more valuable,” said Elliott.
Find a Trusted Security Partner
Elliott recommended partnering with a security provider to work towards completing the Service Organization Controls Type 2 (SOC 2) security principles. These top-tier benchmarks ensure that organizations have the necessary internal controls and processes in place to protect their networks against cybersecurity threats.
SOC 2 audits are based on the existing SysTrust and WebTrust principles. The purpose of a SOC 2 report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality, or privacy.
Cybersecurity should lie at the heart of any digital transformation initiative and should never be an afterthought but built-in by design. “Don’t wait until you have a breach to do this,” said Elliott.