In digital businesses, connected technologies and integrated devices like those from the internet of things are the fuel driving companies toward new business models and better outcomes. Data plays both offense and defense at these companies, keeping them ahead of their competitors. However, data’s profile of high value, large volume and vulnerability quotient is getting the attention of hackers like never before. According to Gartner, in 2017 there are projected to be 8.4 billion connected things, setting the stage for 20.4 billion IoT devices to be deployed by 2020. The enormity of this data is overwhelming, and is (unsurprisingly) leading to complications in organizations’ security strategies.
The secure walls that companies built over the past decades are cracking. Too many cyberattacks are making their way through, allowing hackers to reach valuable business data. Thus, perspectives on security have drastically changed. Implementing a combination of basic security practices as well as data-centric approaches is key to defending against a future of growing cyberattacks.
The value, pace and vulnerability of data
Data from IoT devices holds incredible value — both for digital businesses and for hackers. McKinsey & Co. reported a $2.8 trillion GDP increase from data flows in 2014 as more trade and commerce shifts to online business models. According to the analysts, data flows of information, communication, transactions and intracompany traffic is surging, and virtually every type of cross-border transaction has a digital component.
The pace of data creation also impacts digital businesses. The combination of internet of things data, mobile data and big data has created a very large and attractive data footprint for hackers. In fact, storage manufacturers are expected to ship 521,000 PB of enterprise storage capacity by 2020 to keep up with the rising volume of data.
And just as data value and the volume increases, so does its vulnerability. Digital businesses store data across hybrid infrastructures — on-premises, in the cloud and on endpoints. Each of these comes with risks, especially with the influx of mobile devices and the fast approaching IoT devices. Hackers view these endpoints as vulnerable and an easy entryway to business and personal data. Not surprisingly, they have already been testing the waters.
IoT and security today
In 2015, 65% of companies experienced a targeted attack and an average of 1.9 million records were breached every day. For digital businesses, the threat watch is real and the calls to protect IoT data are coming from throughout the company. Conversations have changed from being a “bottom up” conversation to a “top down” one within organizations. Executive management is talking about security in terms of business impact — not technology.
Something else that is unique is that the individuals voicing concerns about security threats are not solely from the IT side of the company, they’re also from the business side. CEOs and chief data officers want a security strategy that protects their brand and reputation. CFOs want protection from spear phishing. CMOs and HR managers are asking about multifactor authentication and encryption. Security is as much a business discussion as it is a technical conversation.
A mix of old and new security
Companies that are carving out a niche as leaders in IoT are finding the best approach to securing their business assets is to revisit proven security practices and throw in a set of new best practices born out of the current emphasis on data. The network perimeter still needs strong protection, but companies realize that mobile devices and IoT devices perpetually create holes in that very expensive wall as they connect to the internet. With that in mind, security needs to move closer to the business apps, and in them. Specifically, businesses need to follow these best practices:
- Commit resources to apps from software providers that build security into their systems and business models.
- Complete security approaches that address three tiers: secure products, secure operations and secure company.
- Make security a business discussion — and a technical conversation.
Other security basics are also getting dusted off. Security teams are renewing efforts to prevent default passwords, weak encryption protocols, incorrect authorizations and disabled whitelists, which are still common weaknesses that open businesses to successful exploits. On top of these steps, businesses are taking this back-to-basics approach to protect their business apps:
- Ensuring that a consistent and regular process is in place for patches and updates. Unpatched software poses the highest serious security risk for businesses.
- Encrypting communications between business systems with SSL/TLS and SNC.
- Checking the interfaces to business systems to see if they are adequately secured.
- Revisiting data backup plans and disaster recovery
- Reviewing the business systems platform’s security configurations.
There’s no new news here. These are fundamental to practicing good security, but still too many companies ignore them. A return to these basics is essential for companies looking to use IoT data effectively because in the next phase, more processes will be automated, more services cloud-based and more devices will be connected. Companies will need to add in these best practices to continue their transformation:
- Identify and prevent attacks from within the apps
- Protect data with an all-encompassing strategy that covers the cloud, on-premises and mobile devices
- Apply 360-degree correlation analytics across the network, endpoints, applications and data
- Accelerate threat detection with real-time incident response and forensics to limit threat impact
- Respond to threats in an adaptive manner with deep learning powered cybersecurity analytics
Security cornerstones: Products, operations and culture
Creating a secure company means nurturing a well-established security culture and a secure environment with end-to-end physical security of business assets and business continuity for operational resilience. This culture has to include employee training programs that teach everyone in the company about the latest threats and how to avoid them.
During the next few years, companies will embrace new technologies such as predictive analytics, machine learning and cognitive intelligence to keep their business assets secure. Companies that combine these future-oriented tools with tried-and-true best practices of the past will have the security they need to be a data-centric, automated digital business.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.