To be sure, the Internet of Things (IoT) is growing at an exponential rate. Various estimates predict that by 2020, some 50 billion devices will connect to the Internet—and the economic value created by IoT could be worth as much as $11.1 trillion. Correspondingly, the threat of cyberattack is also quickly growing. Researchers at AT&T report a 458 percent increase in the number of times attackers scanned IoT devices for vulnerabilities over the past two years.
Interestingly, 85 percent of the respondents to an AT&T survey indicated their company is considering, exploring or implementing IoT, but just 14 percent report the company has a formal audit process in place to understand how many devices they have and whether these devices are secure, according to AT&T’s second Cybersecurity Insights report, “The CEO’s Guide to Securing the Internet of Things.” I was also interested to read that 88 percent of the respondents said they lack full confidence in the security of their business partners’ IoT devices.
“The Internet of Things is advancing the future of business, bringing new capabilities and efficiencies to companies to help them stay ahead,” says Ralph de la Vega, vice chairman of AT&T, and CEO of AT&T Business Solutions & AT&T International. “However, it’s essential to approach IoT with security in mind to effectively protect your business.”
It’s easy to feel overwhelmed by the scope and complexity of the fast-evolving IoT era, says de la Vega. CEOs can, however, begin to reduce that complexity by first understanding the security implications introduced by connected devices, and then by building a framework for securing the IoT ecosystem, he says.
Toward that end, the AT&T report includes questions its authors believe every CEO should ask his or her team about securing the IoT. The first question to ask is, Have we done an all-inclusive risk assessment that considers the IoT as a part of our overall risk? This step requires identifying the types of risks—data and physical/operational—that every IoT deployment introduces. This will, in turn, help determine how to apply security controls that are commensurate with each level of risk, the report explains. Regardless of the device type, every connected device should meet baseline security requirements.
The report also recommends CEOs ask, Are our data and connected devices secure when deploying new IoT solutions? Whenever possible, companies must isolate IoT data and networks from existing IT systems, which will help reduce an attacker’s ability to launch broader cyberattacks on mission-critical systems. Given the significant increase in connected devices and data volumes, it’s also worth considering adding automated processes to monitor data and identify threats.
The next question to ask is, Are we aligned, from leadership to the front line, on IoT security and strategy? Communicating often with the board of directors will help ensure that corporate leaders clearly understand the opportunities and risks of IoT deployments, the AT&T report notes. It’s also important for every business unit to understand the unique security considerations that IoT devices introduce.
Finally, CEO’s should ask, Have we defined legal and regulatory guidelines covering new IoT devices and deployments? It’s important to evaluate the security capabilities and responsibilities of your business partners, customers and IoT product and service providers. Secondly, the report also notes that establishing clear security protocols—and lines of accountability—is vital to minimizing weak-link scenarios.
What are your thoughts on security of IoT? Does your company have a formal audit process in place to understand how many devices are used and whether or not they are secure? Also, does risk assessment consider the IoT?