Exponential exposure: Your business and the Internet of Things

At a time when cyber risks have assumed a permanent place on the list of things that cause fretful sleep for business owners, a thermostat might not seem especially menacing. The reality, however, is that a whirlwind of interconnected global risks to businesses is emerging. Smart devices are part of the Internet of Things (IoT), the network of objects embedded with electronics, software, sensors and connectivity to enable greater value and service by exchanging data with the manufacturer, operator and/or other connected devices.

“The IoT will be integrated into every market you can think of — from healthcare to the energy industry and transport network — but it hasn’t been designed with security in mind,” says Jamison Nesbitt, founder of Cyber Senate, a community of global cybersecurity business leaders. “There are millions of hackers out there that could compromise these interconnected systems. We have sacrificed security for efficiency.”

The upsides of the IoT for consumers and businesses are plentiful, and that potential is reflected in some very big numbers. The total of interconnected devices in use long ago surpassed the number of people on the planet, and interconnectivity is only growing. Cisco projects 28 billion connected objects by 2017 and over 50 billion by 2020. Smart homes, smart cars, smart factories, smart cities — the IoT market is estimated to be worth $7.1 trillion by 2020, according to International Data Corporation (IDC) forecasts.

IoT-related risks are a reality

Here’s an example of the IoT in action: Thermostats enabled by wireless technology allow homeowners to modify the temperatures in their home via a user-interface application on a smartphone or other wireless device. Researchers recently found a number of vulnerabilities in such systems that could be exploited remotely. Now consider the implications of similar vulnerabilities in remote access to industrial control systems, with knock-on effects related to privacy issues, property damage or physical harm. You don’t have to look far for real-world effects.

In 2013, a large retailer suffered a major privacy breach when hackers accessed its network via its heating, ventilation and air-conditioning system. Late last year, a German iron plant suffered fire damage when hackers breached its control system and caused a furnace to shut down, leading to a fire.

The concern is that most of the vulnerabilities that can be and have been exploited are known vulnerabilities —nothing new and exotic — and not based on new technology. These vulnerabilities are things that companies are most likely already aware of during a product’s design and implementation process, and that should be addressed by the time it gets to the end user.

Recently, a joint research team from the University of Washington and the University of California, San Diego showed that hackers could achieve remote access to a vehicle’s critical systems using connected applications that enable roadside assistance. They were also able to take over a car’s controls through the music system’s CD drive, highlighting potential risks in the supply chain and development processes for companies manufacturing the cars; for the wireless technology and application creators; and for the automotive industry as a whole.

Effectively managing IoT risks

As might be expected, businesses view the management of potential IoT-related risks as a financial challenge. The expense can be lessened if firms follow best practices from a design perspective; for product manufacturers and service providers alike, this takes in the trending concept of “privacy by design.”

The basic concept embeds privacy in every phase of the process — from concept to development, to the time the product hits the market and arrives in the end user’s hands. This practice may help costs come down dramatically and may also increase the effectiveness of the privacy protections and the risk management behind it. In addition, this approach can be much more effective than trying to retrofit privacy or security elements onto a product that has already been launched or is in the final stages of design and development.

Gerry Kane, Zurich’s Cyber Security Segment Director for Risk Engineering, explains that “security by design is a fundamental concept, and has been since information security has been a practice. It is only as a result of the major cyber breaches of the past few years that smart business leaders made the requisite investment in security throughout the product development lifecycle — including the requirements and design phases.”

Following such best industry practices may offset problems later and cut down on the overall financial impact of a cyberattack. In addition to embedding security in the design process, other basic steps include:

• Using standard configurations
• Following the “CIA” (confidentiality, integrity and availability) model for information security policy
• Restricting access to only those who require it
• Observing strict software update and patch management (a software update to a program or its supporting data) 

On the risk management planning side, the core elements of creating resilience to cyberattacks include incident response planning and business-continuity planning from an enterprise-level perspective, where the organization plans for the worst-case scenario, and then rigorously tests those plans.

Benefits of IoT drive security pressure

Industries, such as healthcare and retail for example, are positioned, through use of the IoT, to achieve benefits and cost savings by integrating devices and technologies. And as demand increases, wireless technology providers, hardware manufacturers and consumer device makers may feel more pressure from the peripheral participants and end users to work together to secure their products.

As IoT makers’ short-term focus on financial matters wrestles with longer-term issues such as consumer confidence, the cyber-insurance market continues to evolve with regard to the types and scope of coverage available. Organizations are focused on data theft and invasions of privacy, and the general consensus is that the insurance industry can provide a financial backstop for those issues. (Personal injury or property damage exposures aren’t yet significant in the cyber market.) In addition, companies are also asking insurers how the underwriting process itself can help them better understand their many risks in the age of IoT.

If an insurer can bring in a third party — such as an IT security service or IT risk assessment service provider — to do a deep-dive assessment on a company’s network, not only may it help the insurer understand the potential risk, but also help the company understand its vulnerabilities and what action items can help remedy them.