What is the Internet of things (IoT)?
The Internet of things (IoT) is the network of physical devices, vehicles, home appliances and other items built with electronic components, software, sensors and network connectivity that enables these objects to connect and use the data they exchange. Each thing is uniquely identifiable and can operate on its own or in a group. IoT devices can communicate to each other via a wireless network and can be accessed via the Internet. The promise of IoT is to make people’s lives easier and more efficient, and can range from printers, copiers, fridges, motion detectors, coffee makers, thermostats, smart spoons, to smart-watches and mobile devices. It’s estimated that by the end of 2020, there will be nearly 20-30 billion IoT devices in use globally. These devices tend to be easy to set up, easy to maintain, which leads them to be easily overlooked because of these devices becoming so common in our daily environment.
There is a growing demand for gadgets like the Amazon Echo that make our lives easier to manage menial tasks for us. However, digital risk comes into play when the software on these devices isn’t regularly updated or monitored. New gadgets aren’t always certified or tested for security; in many cases manufacturers do everything possible to get their product into the market as fast as is possible.
Managing Digital Risk from IoT
The threat and the need for concern are real. In a recent white paper from Shared Assessments, findings show efforts to mitigate IoT third party risk needs to significantly improve.
- 94% of survey respondents believe that within the next 2 years “a security incident related to unsecured IoT devices or applications could be catastrophic”
- 78% believe “the loss or theft of data caused by unsecured IoT devices or applications” could occur
- 76% believe a “cyber attack caused by unsecured IoT devices or applications” is possible
Answer These 5 Questions for Each IoT Device You Install
It is important to weigh the risk and benefits of these products in a physical environment. The “owner” of the asset must understand the use and functionality of the device, both physically and internally. There are a few risks that need to be considered and answered before adding an IoT device that can compromise the security of your organization and the safety of your people:
- Who will have access to the device and how access management and credential management be maintained?
- What is the process for updating the device in the event of a published update or vulnerability?
- Who is responsible for monitoring for state of vulnerabilities for the device?
- What information is collected, stored or processed by the IoT device and system?
- If the IoT device is compromised or exploited, who and what is impacted by incident?
Mitigating High Risk Security Incidents Should Always Consider IoT Risk
There are many possible threat outcomes from a result of an IoT device compromise. From a physical security and executive protection aspect, a nefarious actor could have the ability to remotely control a system (locks, temperature, or security) and create a disruptive or damaging physical incident. A threat actor could access video or audio that to compromise the privacy of those exposed to the device that can lead to extortion and public crisis incidents. IoT exploitation can lead to serious operational disruption, reputation risk, and physical security incidents with disastrous consequence. Make sure digital risk is addressed before it can become physical.