I greatly appreciated the opportunity to provide my keynote, “Prevent Nightmares in the IoT,” at three SecureWorld conferences throughout this year, in addition to facilitating the Advisory Council breakfast roundtable discussions about Internet of Things (IoT) security and privacy while at each of those events.
I also enjoyed speaking with many of the attendees throughout the two days of each conference. I specifically asked many if they were concerned about IoT use within their business environments, and for business purposes. If they indicated they were, I asked specifically what brought their greatest concerns. If they weren’t concerned, I asked why.
There were four areas of concern that attendees consistently named regarding IoT use within business environments.
1. Pervasive, increasing personal data collection
The more personal data an organization collects, the more security risks that are created to the organization, and the more data that must be safeguarded, used, shared, retained, and destroyed in compliance with the organization’s applicable legal requirements (laws, regulations, industry standards, and contractual requirements).
If the organization doesn’t even realize that personal data is being collected through the IoT devices within their business networks, they will not be able to appropriately control or safeguard all the constantly increasing amount of personal data. All types of organizations using smart devices within their business environments need to know the data being collected, often automatically from the vicinity within which they are located.
2. Unknown pathways to the business networks, systems, data, and applications
IoT devices create new pathways into a business’s digital environments. These devices open new doorways to unauthorized access, often unknown to the IT and cybersecurity teams. This can lead to security incidents that can bring down the business activities, and lead to huge privacy breaches.
An example of just one huge security and privacy incident occurred in 2017 when a hacker got access through the Wi-Fi connected thermostat located within an innocent-looking fish tank in a Las Vegas casino. All types of organizations using IoT devices are vulnerable to these types of clever hacks occurring through unassuming devices that most people still do not consider to be cyber threats.
3. Increased and unknown data storage areas
All that data collected through smart devices are not only often stored within the device itself and/or the apps controlling them, but the data is also usually sent to cloud services, often through third-party apps, and then also shared with a wide variety of other third parties. Organizations that have smart devices within their digital business environments are allowing unknown others to collect, store, and share an unlimited amount of various types of data through them if smart device use is not controlled. Organizations leave themselves vulnerable to having breaches of data collected within their networks that they didn’t even realize existed. The resulting impacts could be quite costly from fines, penalties and civil actions.
Consider this: If you have 100 employees, and they each use an average of two smart devices within your business processing environment, you’ve just created at least another 200 data storage areas. Add in all the third parties that are getting copies of the data, and that number exponentially increases. How can organizations safeguard and control all that data in all those other, unknown, storage areas? This opens up the organization to many additional security, privacy, and legal risks.
4. Unknown data sharing
Responsibility for data generally follows the data on to the third, fourth, and other parties who end up getting their digital hands on it. If organizations don’t even know that smart devices are collecting data within their environments, then they certainly will be completely clueless and unaware of all the many possible third parties that may be getting that data from their networks and databases. And the organization’s digital fingerprints will likely exist to point to the organization as the original source of any data obtained in this way, giving lawyers and regulators evidence of those ultimately responsible for allowing any security incidents and privacy breaches.
Indeed, the information security and privacy professionals I chatted with at SecureWorld events were prescient in their concerns. These concerns also encompass some of the most significant risks that IoT devices bring not only to businesses, but also to the individuals whose personal data is involved.
In addition to some huge global corporations and government agencies, many of the hundreds of my own SIMBUS, LLC and Privacy Professor clients are small- to mid-size technology companies, many of whom offer services for a wide variety of IoT devices. I’ve often had long discussions with them about the multitude of risks that IoT endpoints bring to organizations, such as those that I covered in my keynotes. Throughout 2018 at SecureWorld events—as well as at a wide range of other conferences, meetings, and seminars—I also spoke with many IoT services and device vendors, asking what they were doing to build security and privacy controls within their hardware and apps.
It is disappointing, and alarming in many ways, that most of these hundreds of organizations have indicated that they are not following long-standing systems engineering and programming design due diligence or security and privacy testing rigor. One start-up technology company even explained that it was their determination that they did not even need to follow change control procedures because they “use Agile Programming.” Other companies told me they tested to make sure the devices “worked.” However, upon further discussion in multiple conversations, I usually discovered the process typically did not include testing for unexpected or out of bounds inputs. I also found only a small handful of companies that performed penetration testing and/or vulnerability testing on their devices or apps before making them available for sale.
When IoT devices and services vendors only test for the expected activities and outcomes for their products, they are going to miss significant security and privacy vulnerabilities. This is a long-learned and demonstrated fact observed throughout the history of computing.
A huge concern, which creates security and privacy vulnerabilities and results in incidents and breaches, is that many IoT businesses saw an opportunity to create a hot, new market offering, but did not consider the need to build in security and privacy controls. Or, if they thought about it, they typically did not take the effort to create such controls because it was not “legally required” for their IoT devices and services. This is a blatantly irresponsible way to avoid investing the time and resources necessary to make their offerings security strong and privacy friendly.
These IoT businesses need to realize that even if their ACME IoT gizmo is a hot best-seller, their businesses will nosedive into a quick demise, with sales crashing, after an IoT device or app security incident or privacy breach that could have been prevented. And the collateral damage will be all their customers whose personal data is breached, which may potentially result in financial fraud, identity theft, and even physical and safety incidents, just to name a few of the possibilities.
I predict privacy breaches and data security incidents originating through IoT devices and apps will increase dramatically throughout 2019. Sadly, it is also a historical lesson that reveals most organizations only implement data and network security after incidents occur.
Organizations need to think about implementing security and privacy management programs, and effective IoT security and privacy controls, in the same way as life insurance works: Trying to buy life insurance for someone after they’ve died is too late; sorry, just not possible!
Don’t wait until after a security incident or privacy breach occurs to implement IoT security and privacy controls; it could very well be that the associated impacts have already killed your business.