This article first appeared on TheAtlantic.com
Today, we’re almost as likely to connect to the internet through our watches, cars or home security systems as we are through a laptop or smartphone. The online world is enveloping the physical one: It’s known as the Internet of Things, and it’s changing life as we know it.
The number of devices networked and online is exploding with international think tank The Atlantic Council predicting as many as 50 billion connected devices by the end of this decade—seven per every inhabitant of Earth. Much of that growth is not in consumer gadgets, like fitness trackers or televisions, but in our economy’s most critical systems, from factory floors and emergency rooms to power stations, aircraft engines, shipping fleets and national security assets.
Connecting such crucial infrastructure to the internet and to each other promises exciting advances—from smarter factories, smarter shipping and smarter retailing to smarter government. It could mean efficiencies, conveniences and economic growth that our fitness trackers and smart homes merely hint at today. But it can also mean far more security risks as hackers are given an exponentially increasing number of entry points for wreaking havoc on privacy and digital information. More connected devices means more devices capable of forming powerful armies of bots and zombie networks and, most disturbingly, giving cyber criminals remote access to our physical world.
“The threat is already there. It has already been realized in some cases,” says Gerry Kane, Director of Cyber Security at Zurich North America. Hackers are currently using the digital realm to target real-world assets. In late 2014, massive damage was caused to a German steel mill after hackers forced a blast furnace to malfunction. More recently, hackers with ties to Syria infiltrated a water utility’s control system in an undisclosed location and changed the levels of chemicals used to treat tap water.
Most cyber events are less apocalyptic but still devastating. Many hackers are after data, and our newfangled connected devices—currently far less secure than traditional computer systems—are an all-too-easy new avenue to access it. Denial-of-service attacks, where hackers shut down a company’s servers or customer-facing web applications in exchange for ransom, is also becoming more common because of the Internet of Things. 73 percent of IT professionals now consider it likely that a company will be hacked through a connected device, according to research by ISACA, an information systems nonprofit.
“No one thinks they're going to get hit,” says Kane. “If you've only got a thousand records of personal information, that's certainly worth a lot less than a company that's got a million of those records. But if you make it easy for someone to get those files and records, they'll come and get them.” Often it’s small or medium-sized companies that dismiss security too quickly, with 71 percent of cyber attacks happening at businesses with fewer than 100 employees, according to the Small Business Committee.
For decades, the threat of being hacked was tackled as a technological battle of best firewalls and antivirus software. Strong technology is surely needed to better combat more sophisticated risks, and connected devices need to be much more secure. But the Internet of Things and the accelerating occurrence of hacks have also forced a sea of change in thinking about what constitutes good security itself.
It’s a revolution started by a collective admission: Cyber attacks are now impossible to eradicate. They’ve become a fact of life. But companies can reap huge benefits by better preparing to react and recover from breaches. “Most people in the business now will agree that you can't protect yourself completely,” explains Kane. “The focus of any good security program is not on protection, but on detection and being able to find those intruders as quickly as possible before they can do substantial damage.”
To those ends, the U.S. government has established the most popular comprehensive framework for cyber threats, where an emphasis on response, recovery and company-wide training on how to react in the event of a breach exists on par with warding off attacks. The National Institute of Standards and Technology’s Cybersecurity Framework was designed to protect critical infrastructure such as banking and energy systems, but the standards have been adopted by everyone from retail chains to the Italian government. Nearly a third of U.S. firms are already using the framework, according to technology research firm Gartner.
There are other bright spots: Cyber threats are being taken seriously in more boardrooms and corner offices. Jobs in cyber security are up 74 percent over the past five years, according to a 2015 report by Peninsula Press, based on numbers from the Bureau of Labor Statistics. What’s more, there has been a rise in the job of Chief Security Officer as some companies elevate it to an executive-level position.
The Internet of Things might be expanding faster than our ability to comprehend it. As more devices become connected, risks amplify and many companies are, frankly, unprepared. Still, the tools needed to make the IoT more secure already exist—companies and institutions have to recognize the threat and prioritize the solutions. “It isn't going to require any new concepts or any new technologies,” says Kane. “It requires a commitment to thinking that's been around for a while in handling security as a process.”