First off – What is the IoT? Andrew Meola of Tech Insider defines it this way:
The IoT (“Internet of Things”) refers to the connection of devices (other than typical fare such as computers and smartphones) to the Internet. Cars, kitchen appliances, and even heart monitors can all be connected through the IoT. And as the Internet of Things grows in the next few years, more devices will join that list.
Picture driving home, avoiding accidents with your collision avoidance system, and then pushing a button to unlock your doors, switch on your lights, check your refrigerator and turn on your lawn sprinklers. All of these capabilities are empowered “things” and because they are capable of receiving, sending and acting on messages sent via the Internet, they are part of the Internet of Things. As such, they are also capable of becoming an entry point for hackers to the much larger universe, in this case, perhaps your bank accounts. Also consider the many component “things” that make up an automobile, airplane or nuclear missile. Science fiction just yesterday is reality today. Forbes simplifies this – “If it has an on and off switch then chances are it can be a part of the IoT.” BI Intelligence predicts that there will be “more than 24 billion IoT devices on Earth by 2020.” That equates to about four devices for every person on the planet.
What Risk Does the IoT Present to the Corporate World?
There is little doubt that, as the number of IoT devices increases exponentially, there will be significant advantages that promise currently unknown opportunities to improve our lives. Smart cities, for example can dramatically improve energy efficiency, reduce crime and minimize traffic congestion. But what about the possibility that someone could hack into a company light switch and gain access to proprietary data? As the possibilities grow for revolutionary improvement in our lives, concern also grows for the security risks that will follow.
In 2016, the FBI, together with the U.S. Department of Transportation and the National Highway Traffic and Safety Administration, warned people about cybersecurity threats to automobiles. This warning was based upon a controlled experiment by two hackers, who managed to gain control of a Jeep Cherokee traveling at 70 mph and turn the steering wheel and apply the brakes remotely.
In September 2016, sophisticated hackers utilized 152,000 consumer IoT devices to initiate, at the time, the world’s largest distributed denial of service (DDoS) attack — on French hosting provider OVH. The attack disrupted service to customers around the globe. In October 2016, hundreds of thousands of insecure webcams, digital records and other everyday devices were appropriated to initiate a larger attack on Internet infrastructure, temporarily knocking some Web services, including Twitter, PayPal and Spotify, offline. DDoS attacks are increasing steadily in size and frequency, according to a Verisign study in the spring of 2016 that reported that the number of attacks had almost doubled in the final quarter of 2015, compared to the same period in the previous year.
Why Isn’t the IoT Risk Taken More Seriously by Boards?
Some of this may be tied to the way people generally react to and assess different types of risk. Security technologist Bruce Schneier points out that people tend to over-react to immediate threats and under-react to long-term threats; people also under-react to changes that occur slowly and over time. Despite the growing concern and increased media interest, unless a company has been attacked, or is currently experiencing an intrusion, boards members may tend to react to the IoT threat with a degree of denial, as a lot of us do to the risk of identity theft — it will happen to the other guy.
Many board members may also simply not be attuned to this type of risk, believing that it is best left handled by the “technical people.” Cybersecurity and IoT threats don’t easily fit into the more traditional strategic, financial and operational categories of risk, areas that fit more easily with the backgrounds and experience of many board members. It’s also important to note that the IoT attack threat is one step removed from the more general cybersecurity risk. It’s easier to get one’s arms around a computer hack than an attack initiated through a cafeteria toaster.
Steps to Wake Up a Board
Of course, education is vital. It is important that boards understand the nuances and proliferation of the IoT threat and the boards’ responsibility to include the risk as an integral part of the company’s existing governance, risk management and business continuity framework. Including a cybersecurity expert as a board member will help, as will regularly scheduled sessions to focus exclusively on the issue.
Help in this regard may be on the way. Congress is set to introduce new legislation that will require IoT devices to incorporate more security measures in their design. The new bill, introduced in the Senate in early August 2017, will require vendors providing connected equipment to the U.S. government to ensure that their products are patchable and meet industry security standards. The bill requires that devices with fixed and unchangeable passwords, or that possess known security vulnerabilities, would be banned from government use. Federal agencies may seek permission from the U.S. Office of Management and Budget to buy noncompliant devices so long as other controls are in place. It is anticipated that this legislative initiative will prompt additional focus in the private sector.
Hopefully, this legislation with increased attention to the very real IoT threat will begin to convince boards that it is not too complicated to understand where this issue is headed. Boards should be at the forefront of raising the concern for IoT threats in their companies, assuring that the corporate interest in addressing it are aligned from the top down and pushing for the proper staffing and budget. It will soon become clear that the IoT, with all of its promise, also brings with it real risks, as significant as all other risks boards have traditionally met.