Who’s responsible for IoT security?

New York
40° 42' 52.38" N, -74° 0' 25.632" E
22nd Mar 2017
0
47

The IoT is growing. Billions of sensors and machines connected to industrial software systems, plus billions of consumer mobile and smart home devices and millions of connected vehicles, all running on ever-faster networks, as cyber criminals stealthily organize like agile startups – who is responsible for the security of all these things?

“Enterprises, cities and end users are all benefitting from the growth of the IoT,” says Steve Durbin, managing director, Information Security Forum, “We’re seeing the creation of tremendous opportunities to develop new services and products that will offer increased convenience and higher customer and consumer satisfaction. However, most of the technology that makes up our connected ecosystem was not built with security in mind. Thus, anything connected has the potential to be hacked these days.”

It’s not my job

Security professionals were once viewed as those blocking progress as much as protecting corporate interests. Today, consumers just want the coolest device and don’t give much thought to risk, therefore OEMs are tempted to not invest in an area that does not immediately appear to give them a competitive advantage.

Even more, the next generation believes security is something that should be conducted for and on behalf of them, according to Steve. At the same time, they expect to bring all their unsecure smartphones and wearables with them to work.

Meanwhile, cybercrime gangs are joining forces to take advantage of the unprecedented number of gateways in order to steal high-value information.

“Organizations need to reassess how they approach IoT security. It’s no longer something apart from the business; it is a real business issue. Cyber threats can have a substantial impact on customer confidence and the bottom line,” he says, “Whereas Investing in cyber security has become a primary method of protecting reputation, shareholder value, financial resources, and proprietary information, so mitigating risk requires a business investment.”

Securing the IoT

Being a business issue also means that IoT security is not just a technical challenge for the Chief Information Officer, Chief Technology Officer, or Chief Security Officer, it’s under the purview of all the corporate officers and the board.

“Yes, security and IT must provide input into solving issues, but you can’t just suddenly replace your entire plant, for example,” says Steve. “When it comes to cyber security, it’s more important than ever for board members and core executives –especially those not directly involved with deploying security programs—to fully participate and contribute on a continuous basis. Ultimately, it’s the decision of the executive team on where to invest because there will be a significant business cost and advantage.”

Technical and security teams should educate the business on security challenges and solutions — speaking in a language the business understands and communicating all the way to the board level, so that corporate leaders have the facts they need to make the best decisions.

Making these decisions requires organizations to look across functions at the information flow and assess where the most valuable data assets are housed, find out how they are being used, realize who has access and understand what, if any, protection exists.

“Identifying and safeguarding what is absolutely business critical will take re-examining how a business operates and engaging though the enterprise so everyone knows the role they play in security,” says Steve. “Organizations that get out in front of things now, and prepare for stricter data breach laws with bigger fines for non-compliance, will be ahead in meeting regulations, while remaining in customers’ good graces. They’ll also make better business decisions along the way.”

On the consumer side, end users have to take more responsibility, thinking before clicking in both their personal and professional lives. Cautious behavior, however, will require education for heightened awareness, according to Steve.

“I firmly believe we need to start teaching and training children on best practices in our primary schools, when they first begin using technology,” he says. “If they learn about security early on, they’ll be more cyber-savvy throughout their lives.”

It takes a village

If there’s one word to describe the future of IoT security, it’s collaboration. According to Steve, this means working together more within the business, sharing across industries, cooperating with law enforcement, engaging with third-party partners and assuming personal accountability.

In fact, except for the largest enterprises, outside expertise is almost a certain requirement. Most won’t have the funds to support a full security team, nor will they typically find the proficiency in house. Still, Steve says, “Stop looking for the silver bullet. There’s no one solution to fix all.”

Who’s responsible for IoT security? We all are.