The Internet of Things: Nothing to fear but inaction itself
April 12, 2016
Connected devices are everywhere, so now is the time to act and step up your organization’s security.
We already have smart homes that help us save on energy costs. Automated controls run many manufacturing floors, creating more efficient production. Wearable medical devices that connect patient and doctor are improving care and reducing healthcare spending. The use of connected devices will continue to explode, with experts such as The Atlantic Council predicting up to 50 billion such devices by 2020.
While the Internet of Things (IoT) offers many benefits to businesses and consumers, it also represents another way for data to be manipulated for greater harm. It’s one thing for a hacker to steal credit card numbers for financial gain or shut down a website to make a political statement. But it’s a whole new level of risk when hackers can use the internet to damage a physical operation or cause bodily injury and even death to people. Many industrial control systems have been built on old technologies that are no longer supported and maintained by their vendors. Without such support, these systems become rife with exploitable vulnerabilities, a dangerous scenario considering that these systems manage critical electric grids, water treatment plants and chemical facilities. The fear is that a destructive attack on systems like these could cause widespread physical harm to both organizations and individuals.
The exponential risks of the IoT represent a new reality for business today. These risks are not just about data security. They are about the security of your entire business, its operations and people. So what steps should every organization consider to prepare for connected devices today and in the future?
- Place security at the forefront of your risk processes. Think of risk management and information security as a process, not an event. Whether you are a product developer, seller or consumer, security should be one of the first things you think of…not one of the last.
- Adopt the NIST security framework. In 2014, the National Institute of Standards and Technology created a cybersecurity framework. It’s a valuable tool, not just for the Information Security department, but also for cross-functional teams charged with defining and prioritizing the information necessary to build security into your organization. There are 5 basic steps of the framework: Identify, Protect, Detect, Respond and Recover.
- Elevate the IoT issue to the C-suite. The earlier you align with your Chief Information Security Officer to present the IoT security issue to the C-suite, the better prepared your organization will be. The use of connected devices is found throughout an enterprise—not just the IT department—so it requires enterprise-wide attention that the C-suite and Board can make happen.
The future of IoT is exciting because of the improved convenience, productivity, and profit it offers both the producers and users of connected devices. Reaping these rewards requires action now to avoid any exponential risks in the future.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All information herein should serve as a guideline, which you can use to create your own policies and procedures. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult with independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with the publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Risk engineering services are provided by The Zurich Services Corporation.