Security professionals know what is needed to secure IoT and embedded devices. However, the number of devices and types, each with their own set of vulnerabilities, present a challenge for the CIO and the business adopting them.
It’s challenging to keep up with your risks when the growth of connected systems and production of devices are accomplished within a blink of an eye. Even more problematic is the fact that the developers of these technologies are not necessarily including security measures during the design and production stage.
To give you an idea of what security risks we’re talking about with the IoT and connected devices, OWASP has a helpful top 10 list you can reference.
2014 OWASP Internet of Things Top 10 List
- Insecure Web Interface
- Insufficient Authentication/Authorization
- Insecure Network Services
- Lack of Transport Encryption
- Privacy Concerns
- Insecure Cloud Interface
- Insecure Mobile Interface
- Insufficient Security Configurability
- Insecure Software/Firmware
- Poor Physical Security
Some of the items in the list might not come as a surprise to executives or security professionals due to the heightened data breach coverage we’ve seen so far this year (Target, the 1.2 billion logins stolen recently by Russian hackers, healthcare facilities and universities loosing computers, sending sensitive information to the wrong people, etc.).
Data breach is highly indicative of an enterprise working with a system that has undetected vulnerabilities, using an insecure web interface and network service, not having a strong authentication process; not to mention the undervalued aspect of physical security. As repeat incidents take place, one has to ask themselves if enough has been done to ensure protection from unknown threats and malicious intruders.
Security industry reports are stressing the importance for CEOs and CIOs to work together and to communicate, for the board members to participate in the risk management program and for security to become integral within the business process. The messages seem to be different when taken one by one, but bulk them together and you’ll see they all say the same thing: risk management is no joke, your data is very valuable and if you’re serious about securing your business for the long run you need to approach your security holistically.
With the IoT, security will get that much more challenging for businesses. The adoption of wirelessly connected devices keeps growing, this means your vulnerabilities keep growing too. If resources are short, which seems to be the case within many businesses that don’t have the manpower or security expertise necessary, companies will find themselves highly at risk and that much closer to attack. Some organizations should be very concerned, like healthcare facilities that hold patient data and people’s lives in their hands or financial institutions that hold their customer’s livelihood. The companies who have had breach are showing the repercussions. It’s not only breach costs and business loss, but job loss too; and more importantly a huge disservice to the individuals who have entrusted them with their information.
How certain are you that your business has implemented the necessary security measures to develop a holistic risk management program and be prepared for the IoT boom? Could it pass the stress test?
Photo Courtesy of FuzzBones