The Internet of Things
A few years ago, no one but a few techies had even heard of The Internet of Things. Broadly speaking, the ever-growing Internet of Things refers to devices connected to the Internet for the purpose of information transfer or process automation. Building owners and managers and homeowners are installing more and more devices that yield productivity, cost savings and pure pleasure. The usages for these devises is almost limitless and includes lighting, security, HVAC, communications, cell phones and their many apps, parking, utilities, scheduling, and digital storage. Their boost of productivity, sustainability and convenience is a real plus and very good news for all of us.
Unintended and Unforeseen Risks
To put it bluntly, there are some serious unintended consequences that come along with the good news. These downside consequences arise from these devices and processes being installed and connected to the Internet with little or no understanding of the cyber exposures they bring with them. In a word, they open a client’s most precious assets to unwanted intrusion and theft.
The Target breach is a vivid case in point. The intruders got into Target’s trove of customers’ personal information through its HVAC vendor (a classic IoT combination) and did it in such a way that Target did not notice the theft of its customers’ files until too late to do anything about it. Security professionals were not surprised. They know that the Internet of Things has expanded the attack surface for the bad guys. Devices that that are increasingly embedded in home and building ecosystems provide many more Internet points of entry for unwanted intrusion.
So, you might say, that was Target, obviously an inviting ‘target’, but no one would target my business – we are simply too small for anyone to care. In light of the May 2013 Verizon 2013 Data Breach Investigations Report, and other similar reports along the same lines, you might want to reconsider. “The I’m too small to be a target’ argument doesn’t hold water,” the report states. “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no staff at all.” See, http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf Other studies reporting that about 80% of cyber attacks are aimed at small businesses are equally sobering. See https://aerissecure.com/blog/data-breach-statistics/.
“The scary thing about this number is that the small businesses are usually the least equipped to protect against an attack. Most hackers will prey on the weak. With technology being so prevalent in all businesses, few can afford to NOT pay attention and do whatever they reasonably can to protect their business and assets.” Id.
A disturbing recent development for small businesses is the rise of “ransom-ware” where a predator infects a company, usually a small one, with an encryption virus which encrypts the target’s data. The predator then demands a payment to provide the key. The payment demands to date have been small and businesses usually pay them because the cost of pursuing other remedies is much higher. Imagine, however, this model being applied to a modern building where the predator takes over the elevators and demands a ransom to turn them back on.
Meeting the Risks Head-On
This should be a wake-up call for all business owners. If you are paying attention but are simply overwhelmed by the deluge of scary information hitting your inbox every day, the question becomes: “What can a business owner reasonably do to protect the business from cyber attacks emanating through the Internet of Things that likely will result in loss of critical assets, reputation and remediation time and money?” You can and should be able to address your IoT exposures, and many others associated with your Internet presence, efficiently, cost-effectively and in a timely manner. Because your exposures are both IT and non-IT, your counsel and trusted IT governance and security partners should be on your team. A few lawyers are recognizing that, in this ever-expanding cyber risk field, lawyering alone will not get the job done. By the same token, forward-thinking IT governance and security professionals know there is a lot more to the incoming risks that can be handled by IT protection alone.
A few concrete examples of the appropriate lines of inquiry should make the case. For starters, lawyers should, at a minimum, review their client’s:
- social media policies and practices to ensure it has them and is doing the right thing in using social media, or not, in its hiring;
- contracts with its cloud computing vendors to ensure they provide the actual location of the client’s data, what kind of security safeguards the vendor has in place, and whether the vendor can execute a legal hold on data when instructed to do so by the client;
- privacy practices including a policy vetted by counsel and posted appropriately, and effective access control requirements; and
- compliance with state and federal statues regarding data security, including HIPAA.
The client’s IT governance and security professionals should review the client’s:
- computer system usage policies and procedures, employee access rights, backup protocols and change management policies; and
- computer system overall security including enterprise management of records, tested firewalls, detection of unauthorized access, and regular penetration testing.
We began this conversation with talking about the six lane highway of risks occasioned by the Internet of Things. If you do not have any building control systems or other processes in use in your business or in your home, then you should be risk-free from IoT concerns. For those of you who do have Internet-connected devices and processes in place in your business or home, you should make sure that, at a minimum, you have an inventory of these processes and devices, have security in place for all of them, monitor them on a continuous basis so that you become aware of malfunctions in real time, and conduct audits and testing on a regular basis to verify the operation and security of the devices and processes.
Governance Big Picture and Bottom Line
It is critical that leadership at the top sees to it that data, device and process security are seen as an enterprise concern. Breaches can hurt every department and aspect of the business which will, in turn, hurt the company’s profitability and reputation. Budget fights between departments have no place since the security budget should be a company-wide budget with the cost shared across the enterprise.
With the right legal counsel and IT governance and security professionals on your team, you can effectively address both the IT and non-IT risks embedded in the Internet of Things. We strongly recommend that you have the conversation with your counsel and ask for a plan to assess and remediate your real time risks. Your goal should be to achieve the ability to make informed risk management decisions about your multiple risks, specifically whether to remediate them, transfer them by way of cyber insurance, or ignore them. Whatever you decide, you’ll be much more likely to make the right call with the right cross-disciplinary team in place. For questions or more information on potential IoT risks contact Edward M. Dunham, Jr. at firstname.lastname@example.org.