During Infosecurity Europe 2015, a security firm demonstrated how an Internet-connected kettle—which can be remotely controlled to boil water—could also be used to hack into a company’s corporate network. By tricking the kettle to contact a rogue wireless access point, the firm was able to steal the Wi-Fi key of the network.
The demonstration was part of a larger theme at the conference regarding security vulnerabilities tied to the Internet of Things (IoT). New televisions, thermostats, lightbulbs, refrigerators, kettles, and other IoT devices are connecting to Wi-Fi networks to improve functionality—while also introducing new ways to breach an organization’s network. An estimated 70 percent of current IoT devices pose security threats, according to Hewlett Packard.
These security vulnerabilities will only grow in the coming years as more IoT devices become interconnected. The global IoT market is expected to increase from $655.8 billion in 2014 to $1.7 trillion in 2020, according to the International Data Corporation. In two years, an estimated 82 percent of businesses around the world will use IoT applications.
IoT devices are now being used in some of the most closely-regulated industries, including health care, energy, government and financial services. Yet without a widespread understanding of these vulnerabilities or integrated security architectures across these new networks, valuable business data is at risk of being exposed to cyber criminals.
To make matters worse, most company leaders—including IT and security professionals who protect corporate networks—aren’t fully aware of the scale of IoT presence within their networks, according to the 2015 Internet of Things in the Enterprise Report by OpenDNS. Nearly a quarter of the 500 IT professionals surveyed say they have no controls in place to prevent somebody from connecting unauthorized devices into a network.
Where Is The Governance?
There is no central governing body that oversees the Internet, which makes creating and enforcing cyber governance policies difficult. And since cyber attacks defy state or organizational borders, controlling them requires solutions beyond merely passing legislation. Though there are rules and procedures in place, the current global cyber governance framework lacks a comprehensive answer to security risk.
One of the main problems is that the world’s cyber governance framework has not managed to address the inherent risks associated with emerging IoT technologies. Though new federal cybersecurity legislation is being worked on in the United States, organizations are often left to deal with security of new devices on their own.
A recent Zurich study revealed that the current global cyber governance leadership is made of a spectrum of three distinct types of concerns and participants. On one end, administration is effective when it comes to dealing with technical issues. On the other end, current governance is not well-equipped to deal with dangers like cyber warfare and organized sabotage. But the middle of the spectrum contains an overlap of government, industry, and individual interests.
This gray area actually presents opportunity for businesses. With no international consensus to guide principles for a framework, businesses can lobby to help establish one by sharing information and promoting cooperation between the public and private sectors.
Considering Cyber Resilience
To combat the current inadequacies of the cyber governance framework, businesses should consider adopting a culture of cyber resilience.
Protecting yourself from vulnerability entails not only a robust perimeter cyber defense process, but also more restrictive approach to the technology allowed to access corporate networks, said Bryan Salvatore, president of Zurich North America, Specialty Products.
“Companies are learning they have to invest in prevention of cyberattacks, but equally important is the mindset of resilience,” Salvatore said. “This means they invest in detection so that if a breach happens, it is identified as quickly as possible, is dealt with, and risk is mitigated.”
As it is now, cyber risk management must increase its focus on the risks of third-party technology, contractual partners, supply chains, and disruptive new technologies, said Salvatore. “Instead of attacking directly, [cyber criminals] attack through other avenues—through vendors, through organizations that companies have partnerships with—and are able to achieve access to sensitive data.”
Businesses should be careful about who they work with and be diligent about managing their relationships with vendors and clients. This could entail identifying risks, establishing protective barriers and segmenting data, creating rapid detection mechanisms, and responding effectively, Salvatore suggested.
A United Defense
But a true culture of cyber resilience cannot be confined within the walls of business.
“For cyber resilience assurance to be effective, a concerted effort among ecosystem participants is required to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk,” urged a recent report from the World Economic Forum.
Salvatore agreed, compelling businesses to be vigilant in protecting themselves by helping to protect others. “We have to push for more dialogue from the public sector, manage our exposures and react to them appropriately when they occur.”
And with 42.8 million cyberattacks expected in 2015, this is more important than ever.
Chandler Harris writes about technology, business, government and outdoor activities. His work has appeared in Entrepreneur, InformationWeek, San Jose Magazine, Government Technology, Public CIO, the San Jose Business Journal, Surfer’s Journal and more.
[“source – forbes.com”]