In IoT environments where devices, applications and people are interconnected across vast and disparate ecosystems, it’s imperative that security is an integral part of IoT deployments.
Threats are everywhere. The attack vector is potentially limitless. IoT ecosystems encompass the network edge/perimeter, the data center, applications, data transmission and networking mechanisms. They also include every piece of company-owned equipment and end user-owned devices. Even the most proactive IT departments find it challenging to keep pace with career-hackers and ever-more efficient, targeted attacks.
There is no such thing as a 100% fully secure environment.
Security is not static; it is a work in progress. Organizations must be vigilant and assume responsibility for their system and network security. ITIC’s latest survey data found that an overwhelming 80% of respondents indicated the “carelessness of end users” poses the biggest threat to organizational security. This far outpaces the 57% who cited malware infections as the largest potential security problem.
Security is a 50/50 proposition between technology and the humans who must implement and manage it. In Part one of a two-part article, we outline the top 10 business and procedural must-do steps organizations should take to safeguard the IoT ecosystem and mitigate risk. Part two will detail the top 10 list of technology safeguards organizations should implement to safeguard corporate data assets.
Top 10 business steps to defend against cybersecurity threats
- Take inventory. Know what people, devices and applications are on your network. That includes the various versions of software your users have installed on their myriad desktops, notebooks, tablets and smartphones. Twenty-five years ago in the early 1990s, before the internet, businesses used to brag about the longevity and reliability of their servers and network operating systems. It was considered a badge of honor if an IT administrator discovered a forgotten Novell Netware 3.x or 4.x server running in a closet that hadn’t been rebooted in nine or 10 years. Ignorance is not bliss. Complacency, forgetfulness and ignorance of what devices are on your network, along with a host of overlooked configuration errors that unwittingly give opportunistic hackers carte blanche to exploit your network could spell disaster and leave a corporation’s data assets unprotected. Compile a list of all devices, applications, transmission mechanism and access levels for all network users (from the CEO down to office temps). Retire old and outmoded equipment or retrofit them with the latest security mechanisms. Take inventory at least every six months and preferably on a quarterly basis. Additionally, corporations that have acquired another firm via a merger or acquisition should do a complete and thorough inventory of the acquired entity’s infrastructure before connecting it to their own. This requires cooperation and collaboration with the acquired company’s IT department, engineers and software developers.
- Regularly review and update computer security policies. As the saying goes, “The best defense is a good offense.” The business case should always precede and drive the technological aspects of computer security. Organizations should construct and/or update existing security policies and procedures involving all aspects of the business. Security policies and procedures should reflect the current business climate. They should provide clear guidelines on how to respond to the latest cyberthreats. The organization’s security policies should have a clear list of “Dos and Don’ts.” It should be disseminated by human resources to all employees via hard copy and email. And it should also be incorporated into the onboarding training process for new employees. Businesses should treat cybersecurity with the same seriousness as they do with issues of discrimination and sexual harassment.
- Enforce computer/cybersecurity policies and procedures. No exceptions. Make it clear that the corporate cybersecurity rules are not made to be broken. The organization should construct a clear, concise list of the penalties associated with various infractions. These should include a sliding scale of actions the corporation may take for first, second and third infractions. Failure to comply with the corporation’s cybersecurity policies may involve myriad actions ranging from a warning to termination and even criminal prosecution.
- Educate all users. Everyone in the organization from the chief executive to the IT department, application developers, knowledge workers, contract workers and office temps must be educated and adhere to the company’s computer and cybersecurity policies and procedures. Additionally, the IT department should regularly inform users about the latest threats via email and hard copy.
- Construct a cybersecurity-specific operational level agreement/response plan. Every organization, irrespective of size or vertical market, should have a detailed OLA plan in place to quickly and efficiently respond to cyberattacks and cyberheists. An OLA is a set of detailed policies and procedures that governs how the company’s internal stakeholders — chief security officer, chief technology officer, director or VP of IT, administrators and security professionals — will work together to respond to issues. The OLA agreement will detail the policies and procedures for dealing with hacks to minimize downtime, data loss and theft. Quick response to a security issue can be the difference between thwarting a hack or suffering downtime and data losses. The cybersecurity OLA should establish and define the organizational chain of command, assign specific duties and responsibilities in the event of an attack, outline daily security operations and provide detailed instructions on how all the various internal stakeholders will work synergistically to respond to security issues. The cybersecurity OLA should also include a list of all outside third-party vendors and service providers and a list of contacts at those organizations.
- Security should be built in. Security cannot be practiced with 20/20 hindsight. It is the company’s responsibility to perform due diligence and work in concert with its vendors, resellers, third-party independent software vendors and professional service providers to ensure that all new devices and applications incorporate the latest security mechanisms. Before provisioning or deploying any device or application, the company should take great pains to ensure they are secure by design, secure by default, secure in usage, secure in transmission and secure at rest (storage).
- Budget appropriately. There’s a lot of competition among the various corporate upgrade projects and individual departments to get their slice of the organization’s capital expenditure (Capex) and ongoing operational expenditure (Opex) budget. Oftentimes, security gets short shrift and loses out to other projects and stakeholders. The adage, “If it ain’t broke, don’t fix it,” definitely does not apply here. There’s intense competition within the IT department for various Capex and Opex projects. Any firm that delays and defers security does so at its peril. Perform due diligence involving all pertinent parties to determine a timetable and construct a budget for hiring skilled security IT staff, or hiring outside third parties to perform vulnerability testing and risk mitigation, purchasing new security software, equipment or upgrading existing devices.
- Deploy security awareness training from the C-suite down to the IT department. ITIC’s most recent security survey found that over 40% of the 600 responding organizations could not identify the type, length or severity of the cyberattacks their firms had experienced. Additionally, 11% of respondents said they were “unsure” if their companies had suffered a hack over the last 12 months. Hardly a day goes by without another new major cyberattack or other security-related issue making the news. Overworked and often under-staffed IT and security administrators are hard pressed to keep pace with the increase in security threats. If you can’t identify a threat, you won’t recognize it when it happens. If your organization fails to implement the appropriate safeguards, such as auditing, authentication and tracking mechanisms, it will be difficult if not impossible to track the culprits.
- Stay current on the latest security patches and fixes. This may seem obvious, but its importance cannot be overstated.
- Calculate the cost of downtime related to cyberattacks and hacks. There is no more sobering wake-up call than for corporations to calculate the monetary costs and business consequences as a result of a cyberattack. These include, but are not limited to, downtime; lost, stolen, damaged/destroyed or altered data; and the cost and amount of time it takes for IT perform remediation. Also consider the monetary cost of potential litigation, civil and criminal penalties, damage to the company’s reputation and brand, and potential lost business.
Ultimately, everyone in the corporate enterprise — from the C-level executives to the IT department and all the end users — must communicate, collaborate and cooperate to defend the data assets. Ask yourself: What have you got to lose?
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.