About 100,000 internet-connected devices – thermostats, baby monitors and other “smart” devices embedded with the brains of a computer – compromised by malware launched a distributed denial-of-service (DDoS) attack against Dyn, one of the premiere providers of DNS – the equivalent of the internet’s phone book. Overloaded with fake requests, Dyn’s DNS servers were unable to provide legitimate services to its clients, like Amazon, The New York Times and Twitter.
IoT botnets may be one of the biggest emerging internet threats, and you should pay attention. Not because of the ability to launch crippling attacks to take out large sections of the internet as we saw the Dyn attack, but because your organization may be complicit in the attack.
Enterprise adoption of IoT devices – including commercial and government – will account for almost 80% of IoT adoption, creating one of the largest attack surfaces for your enterprise and an intrusion vector possibly eclipsing phishing email as a top risk exposure.
If your organization has difficulty managing traditional enterprise IT risk today – servers, workstations, mobile devices and even a cloud deployment – the upcoming wave of IoT devices will be larger by an order of magnitude (10 times larger), creating an unmanageable attack surface expansion for almost every organization operating today. This is the greatest risk to enterprise IT risk managers as they absorb the impact of future IoT DDoS attacks.
Who is responsible for risk management of these connected devices? For unmanaged IoT devices deployed at home, the answer today is not clear; it may be the consumer, the manufacturer, or the internet service provider. However, responsibility for enterprise IoT devices is very clear; the company responsible for installation and maintenance of the IoT device is responsible for safety and security. This even applies as IoT vendors go out of business or stop supporting firmware. As modern enterprises move their essential operations to connected, digital corporate ecosystems, the scope of traditional IT risk management must be expanded to compensate for the evolving threat landscape.
Safe and secure operation of these systems captures executive and board attention, and many leading organizations have identified this risk as an existential threat to their organizational competitiveness and survival. Leading organizations have designated a chief risk officer or digital risk officer – sometimes as a direct report to the CEO, or sometimes under the chief legal officer. Undoubtedly, this not only the chief information security officer’s or the chief information officer’s duty, but there must also be an enterprise-wide movement to accountability.
As you adopt more IoT, have the following conversations with your business and IT stakeholders:
- Ask “How many IoT devices should we have?” and “Does that make sense?”
- Ask “How do we scan/monitor our network for IoT devices?” and “Do we know their purpose?”
- Consult with subject matter experts on possible impacts from an IoT deployment, and run tabletop scenarios of the major risks posed to your operations from IoT devices.
- As an organization, decide the amount of risk your organization is willing to take for the benefits of an IoT deployment. This is your digital risk appetite.
- Finally, use your digital risk appetite to estimate a risk-benefit tradeoff that translates your digital risk impact into business action for your executives.
Opening this dialogue within your organization will help your business adapt to evolving technology and understand the important shift into digital risk management. Discovering, developing and communicating your digital risk appetite is the first step in preparing for tomorrow’s emerging digital risks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.