The Internet of Things, cyber-security and the role of the CIO

Andy Taylor discusses how CIOs can tackle the problems with IoT security and what precautions they could be taking.

Andy Taylor, lead assessor, APMG
Andy Taylor, lead assessor, APMG

Globally, 26 billion devices are expected to be connected by 2020.The Internet of Things (IoT) means that the physical world is effectively becoming one big information system.

More and more personal information and business data will exist in the cloud, travelling via thousands of devices that may have exploitable vulnerabilities. Indeed, the sheer scale of IoT is creating an "attack surface" of unprecedented size given the proliferation of connected assets and devices.  One weak link in the security chain could provide hackers with nearly limitless doorways to be unlocked, leading them to information and data.

Hackers won't need to rely on public networks alone; cars, smartphones, home automation systems and even fridges are all potential access points now. In the future, security will be managed automatically by the system instead of users, so designing secure technology will require a new approach and mind-set. However, a lack of industry standards and technology architecture around the IoT makes it difficult to create security policies; some even argue that the IoT is impossible to secure.

How can CIOs approach the challenges associated with IoT security?

1.   CIOs will need to come up with a strong governance framework for IoT devices to meet security standards. Such devices, just like any other touch points, have to fit within an organisation's security strategy as a whole to prevent data leakages and other privacy issues. Understanding the organisation's risk appetite or willingness to accept risk, is central to this. Proactively planning network and infrastructure upgrades is also essential to enable continuing pro-active defence.

2.   CIOs should be integrating IoT by starting off with a secure framework and then building upon that. It is very difficult (and expensive) to bring security in as an afterthought so make sure to include security early in the design stage of an IoT system.

3.   Initially CIOs can look to apply the same security principles to IoT that are applied to other corporate resources. Essentially, treat IoT as another data source and incorporate information security oversight. Soon enough the market will provide solutions for threat detection and mitigation.

4.   CIOs will need to engage effectively with employees, educating them with respect to IoT technologies and their risks, in addition to updating information security policies. They should be proactive about security and educate the workforce. Whilst educating the staff remains critical it will, however, never be the whole answer. A recent survey shows that, despite every education and training programme run by organisations, more than 30 percent of staff will still click on links in emails making them prone to phishing attacks.

5.    Bring your own device (BYOD) is becoming endemic in most large and small organisations.

6.   CIOs will need to recognise that this will link not only staff members' smart phones to the corporate network, but, via home networks and the internet, their fridge, car and entertainment system!

7.   Look to work with your internal and external business partners to envision an innovative set of IoT-enabled products and services; what is the cost of moving forward with that vision or not moving forward with that vision? Engage with your business partners to build a business case, a governance structure and a strategic roadmap to guide your organisation's efforts.

What precautions should CIOs be taking?

·     Data – Whilst it is difficult to put a number on this that makes any sense, it is obvious from the number of connected devices in existence today (and the predicted number yet to be connected) that organisations will need to deal with mind-boggling volumes of data. CIOs need to develop strategies for dealing with this. For example – the storage of data when it initially comes in, categorising and classifying the data, how long to keep the data and how to dispose of it securely when no longer needed or after a specified period.  Legislation such as the General Data Protection Regulations from the EU, despite Brexit, will make this a legal consideration for any organisations that have dealings with Europe.

·     Security – Basically we are inexperienced in creating large platforms with security in mind. This inexperience in deploying mass networks in a secure way could create a recipe for major breaches and security issues. The IoT is a relatively greenfield area in IT. It should offer the chance to design and architect solutions with security integrated right from the start, rather than an additional feature further down the road. Whilst CIOs need to be mindful of this issue for future planning, there is also the opportunity to make sure vendors are building this security into any IT expenditure that the organisation plans to make. Existing security controls may well be able to address these new concerns but they need to be implemented in an agile and effective way to enable them to adapt to the new attack vectors.

Information security organisations must begin preparations to transition from securing PCs, servers, mobile devices and traditional IT infrastructure, to managing a much broader set of interconnected items (wearable devices, sensors, etc.). Those responsible for security need to research security best practices to secure these emerging devices. Risk and security policies will need revision as these devices start interacting on an exponentially growing information system. This increasingly interconnected digital world will need to be able to ensure the basic security principles of integrity, confidentiality and availability. 

It is essential that the maturity of the security controls used in an organisation is maintained at an appropriate level for the controls to be optimised and be appropriately effective against tomorrow's attacks.

Contributed by Andy Taylor, lead assessor, APMG