The Internet of Things and IoT security issues are being talked about after a just-released IoT security audit in Massachusetts.
Here are the conclusions, which certainly echo what we've heard from security leaders at SecureWorld conferences. The IoT is a beast to secure, especially as the numbers and types of devices grow.
- "Forty-six percent of respondents believe that IoT risks cannot be managed effectively and efficiently by current controls."
- "Forty-three percent of respondents believe that the IoT is in its infancy and the risk of adopting IoT devices is greater than the benefits."
- "The Commonwealth’s Enterprise Information Security Policy (EISP) does not offer any guidelines to state agencies regarding the adoption of IoT technology."
A survey of state agencies using IoT devices was part of the audit by the Massachusetts State Auditor.
Surprise: Massachusetts needs an incident response plan
The audit revealed a shocker: Massachusetts apparently does not have an incident response plan for reacting to a cyberattack.
- "The Commonwealth does not have a formally documented information security incident response plan."
- "... it does not have a documented incident response plan. Such a plan would establish specific procedures EOTSS would follow to respond to and resolve any detected incidents affecting the security of the Commonwealth’s IT hardware, software, and data related to IoT devices. Without an incident response plan, the Commonwealth has inadequate assurance that it can effectively respond to and minimize the risk of cyberattacks when they happen."
Note: EOTSS is the group that manages the Commonwealth's IT environment.
The audit points out that an incident response plan is being worked on, but it is currently in "draft" mode.