The Internet Of "vulnerable" Things?

Today's world is hyperconnected, and organisations are under increasing pressure to collect, collate, analyse and share data in a smart and seamless way. However, smart and secure are often not synonymous with each other.  The Internet of Things (IoT) is becoming an increasingly prominent and important facilitator of hyperconnectivity because it involves connecting computing devices and digital machines to everyday objects.

Today's world is also increasingly volatile and risky, and organisations need to remain constantly vigilant against cyber attacks, particularly in relation to the IoT. One of the key questions for most organisations is therefore, how can we be both hyperconnected and secure?

Hyperconnectivity Versus Security

Cyber security extends to an organisations network infrastructure and beyond. Industrial control systems (ICS) are an integral part of the operational technology of an organisation, and work alongside an organisation's IT network and any IoT devices.

As IoT devices become more prevalent, cyber attacks are increasingly directed at ICS or other similar systems in an attempt to compromise an organisations wider network. A targeted attack through an organisations network may have far reaching impacts beyond the walls of its own facilities, e.g. power outages, major health and safety risks, a communication shutdown preventing an emergency response, and preventing the supply of clean water.

Are IoT Devices The Weakest Link?

The recent British government Cyber Security Breaches Survey highlighted that almost all organisations have some form of digital exposure, and that network-connected devices were more common amongst businesses than last year. Ericsson has also predicted that connected IoT devices will consist of around 29 billion by the end of this year.

However, the increasing reliance on IoT devices does not mirror the surrounding security aspects, which are receiving less focus.

In many organisations IoT devices will be embedded into the processing of data which is sensitive and critical to the organisation and its infrastructure. If the lack of focus on security measures continues, the IoT devices, and as a result the data they process and the networks of which they form part, will become increasingly vulnerable to cyber attacks.

Should Regulators Intervene?

The UK Government has recognised at a consumer level that there is a need for minimum security standards for IoT products being sold, with the Queen's Speech announcing that new laws will also aim to impose obligations throughout the supply chain. However, the UK Government has not gone so far as imposing minimum security standards on the industrial IoT or other interconnected systems within an organisation. This seems strange, because organisations usually present a more diverse threat profile than consumers, and r organisations also typically have more knowledge, responsibility and control of networks and cyber security.

In the absence of a minimum standard, Chief Technology Officers and boards should consider how to build and invest in a "security-by-design" mindset within their organisation, and how to future proof any IoT, ICS or other devices through monitoring and maintenance.

Doing so will not only strengthen an organisation's security arrangements, it is also likely to extend the period during which IoT devices can be used, and therefore potentially decrease expenditure on new hardware. 
This may be an uphill battle for some organisations – the Cyber Security Breaches Survey noted that 44% of businesses in the UK see cyber security as only a "fairly high" priority. The DCMS have further found from the survey that there is a lack of understanding of what constitutes cyber risk management, compounded by a lack of expertise and perceived complexity of cyber security matters at a board level.

Organisations are buried under a growing mountain of information, and leaders are struggling to find the right balance between enforcing compliance, providing flexibility to encourage innovation, and giving employees access to the right information at the right time.

What Can Be Done?

Organisations should take a holistic and proactive approach to their cyber security. Research demonstrates that most tend to take a reactive approach rather than being proactive in recognising the strategic risks that may impact the organisation. 

Whilst it may be difficult to do so in the short-term, organisations should try to view investment in cyber security in a more positive light. They should view the investment as a business enabler, not just an extra cost.

Even after such a change in perspective, negotiating sufficient budget for cyber security against other competing priorities can still seem like a battle. This is often a particularly difficult issue where organisations do not outsource IT or other security solutions. This leaves the organisation heavily reliant on an often small group of its own employees, and those employees often don't have a voice loud enough to influence the board and Executive team, or to communicate the importance of cyber security across middle management.

For example, penetration testing of existing systems, or adding a further level of requirements or assurance as part of supply chain due diligence, will pay dividends in the future, but many of an organisation's senior leaders may not recognise that. 

An organisation should look to develop appropriate policies and train employees on recognising risks and being proactive. This should be communicated to a range of different audiences, in order for employees to understand a risk even when they have little or no relevant technical expertise. Any risk mitigation plans put in place by an organisation must include the risks posed by ICS and other IoT devices.. Such plans must cover as much ground as possible, from recognising the early signs of an attack or a breach, through to putting in place a formalised incident management plan.

The risks of supply chain cyber attacks remain high and changing perspectives and culture will not happen overnight. Despite the challenges, it remains essential that an organisation is able to detect and mitigate cyber risks quickly, in order to prevent the risks crystallising into operational disruption

Sarah Daun and Caroline Churchill are Partners at law firm Womble Bond Dickinson

You Might Also Read: 

EU Businesses Risk Fines For Not Complying With IoT Security Rules:

 

« Privileged & Protected - Managing Access At The Endpoint
The Role of Zero Trust Architecture In Minimising Cyber Risks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Aeriandi

Aeriandi

Aeriandi is a leading provider of hosted PCI security compliance solutions for call centres, trusted by high street banks and major Telcos.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

Assured Information Security (AIS)

Assured Information Security (AIS)

AIS is committed to providing our customers with critical information security products, services, and training. We support diverse needs throughout business and industry.

Crypta Labs

Crypta Labs

Crypta Labs is an Award Winning IOT Security startup that is developing a quantum-based encryption chip to secure the Internet of Things.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

GoCyber

GoCyber

GoCyber is a new, highly innovative cyber security training app that uses action based learning to significantly improve the online behaviour of all employees in less than a month.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Sayata Labs

Sayata Labs

Sayata delivers a streamlined solution for processing cyber policies. Increase profitability with an easy and intuitive platform.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

Oxford Internet Institute - University of Oxford

Oxford Internet Institute - University of Oxford

The Oxford Internet Institute is a multidisciplinary research and teaching department of the University of Oxford, dedicated to the social science of the Internet.

Rimini Street

Rimini Street

Rimini Street is a global provider of enterprise software support products and services, and the leading third-party support provider for Oracle and SAP software products.

TempoCap

TempoCap

TempoCap is a European growth-stage technology fund with offices in London and Berlin. We invest across a variety of high- growth sectors including cybersecurity.

CYBHORUS

CYBHORUS

CYBHORUS are a team of Italian cyber security experts, specialized in cyber threat defense and strategic and organizational consulting.

Telarus

Telarus

Telarus is a Technology Services Brokerage that holds contracts with the world's leading cloud voice, contact center, cybersecurity, mobility and IoT providers.

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.