The Internet of Things, cyber security and the role of the CIO

There is constant discussion on the evolution of the number of connected devices over the next decade or so. One report claims that we can expect to see as many as 50 billion devices connected by 2020, moving us towards one big global information system.

The cloud will become a very crowded place indeed, holding increasing amounts of data at both the personal and at the business level. This data will be travelling across many thousands of connected devices, all potentially vulnerable to hacking. Moreover, this massive scaling of the Internet of Things (IoT) makes the old adage concerning one weak link ever more relevant; hackers will potentially have any number of ways to get at that all important data.

Another boon for the hacking community will be the proliferation of other potential access points. Everyday items such as smartphones, vehicles, fridges even televisions will present new avenues for attack. The design of secure technology in the future will require new thinking, a different approach, with some already arguing that the IoT will be impossible to secure (in the absence of security standards).

So, how will organisations deal with this complex and challenging threatscape?

How can organisations approach the challenges associated with IoT security? 

  1. IoT devices will require a robust governance framework, one that incorporates them within the organisation’s overall security strategy. It is a good idea to plan well ahead with respect to infrastructure and network upgrades.
  2. Think about security early, at the design stage of an IoT system. Starting with a secure framework, CIOs can look to integrate IoT and building accordingly. Thinking about security as an afterthought is asking for trouble.
  3. CIOs need to treat IoT in the same way as any other source of data and incorporate information security accordingly. Vendors will be providing solutions for threat detection and mitigation soon enough. Apply the same security principles as you would apply to other company resources.
  4. As with other areas of security, it is imperative to engage effectively with the entire workforce. Educate them with respect to the evolving “attack surface”, inform them about new IoT technologies and all inherent risks. Remember, a very high proportion of cyber attacks can be attributed to employees (intentional or unintentional).
  5. CIOs need to work closely with all stakeholders, especially internal and external partners. Work together to outline a family of IoT products and services. How much will it cost to build that vision? What are the potential costs of not building that vision? 

Some specific precautions 

  • Data – It is almost impossible to come up with a meaningful number when it comes to the volume of data that will be travelling across the IoT landscape. What is certain is that organisations will have to find effective ways to deal with these huge volumes of data. How is data stored when it first comes in? How will we categorise and classify such data? How long will we hold onto the data and how will we dispose of it when no longer needed?
  • Security – We are novices at building the very large platforms that will be needed with security in mind. Our inexperience here could prove to be very costly with respect to breaches and other security matters. We should, therefore, be looking at the opportunity to design platforms with security integrated right from the very start. Markets should be bearing pressure upon IT vendors to build this level of security into IT expenditure planned by the corporate world. IoT is a relatively greenfield area in IT terms, so let’s start off on the right foot.    

The increasingly interconnected digital world will need to be able to ensure the basic security principles of integrity, confidentiality and availability. There will be a transition away from securing PCs, servers, mobile devices and traditional IT infrastructure, to managing a much broader set of interconnected items (wearables, sensors, smart homes etc.).

To fare well in this brave new world of IoT, risk and security policies will need revision in the face of exponential network growth.

Andy Taylor, Lead Assessor, APMG

Image source: Shutterstock/everything possible