A primer on the Internet of Things and why it's a big concern
December 15, 2015
There’s a key difference between the Internet and the Internet of Things.
Anyone in the risk business has read these words or something similar in the last year or so: Beware the Internet of Things! Danger ahead! The new emerging cyber threat!
It’s not bad enough that we have credit card theft, identity theft, healthcare information theft and intellectual property theft to worry about. Now we are told to expect a new and potentially bigger wave of cyber threat coming at us through our cars, our thermostats and even vending machines and our home appliances.
This blog will establish a baseline understanding of the Internet of Things (IoT) — or Internet of Everything (IoE) — and set the stage for future discussions about how these threats are progressing and the defenses that should be constructed to counteract those threats.
Let’s begin with some basic definitions. What exactly do we mean by the “Internet of Things”? The Internet, as we have known it until now, is a global network that allows individuals and organizations to connect with others and to vast sources of information, any time, from anywhere that there is an access point. Access points used to be wired telephone lines and directly wired connections, but now can be found nearly anywhere in the wireless world as long as you have a connectible device, like a desktop computer, laptop, wireless phone or tablet. One notable feature of this configuration of access points and connected devices is that there is generally a human associated with the device, i.e., someone inputting addresses to which a connection is desired and participating in an online “dialogue” of sorts.
The key difference
The IoT is the same concept with the key difference being the removal of the human from the dialogue. Now the dialogue involves devices without human intervention — devices like security systems and HVAC systems in commercial properties or a home, flow controllers in pipelines, performance monitoring sensors in automobiles, or health monitoring medical devices. The IoT, then, is simply an extension of the Internet as we have always known it, with a bunch more connectible devices — perhaps as many as 50 billion by 2020. And each of these devices is in many ways similar to a traditional connected device like a laptop or phone. They are “addressed” the same way. They send and receive information the same way. They are programmed, i.e., they respond to the information they receive based on embedded rules. They offer tremendous benefits, just as the laptop and smart phone do, but they are similarly just as vulnerable to threat actors —maybe even more so.
So, what we are left with is a real “good news/bad news” situation. The good news being the tremendous benefits that the IoT can potentially deliver, and the bad news being the potential risks that come with those benefits. But there is also good news in the fact that existing risk management and information security practices can help mitigate and manage those risks. Bad news will result, however, if security is not recognized as being just as important as the benefits and is not baked into the product development process.
Return to Risks Revealed home page
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.