How the proliferation of unsecured IoT devices is putting organizations at risk.
Consider the innocent fishbowl. If the last thing on your mind is a threat, you might want to think again.
In 2017, hackers used this innocuous aquatic accessory to infiltrate a casino database and steal sensitive records, including personally identifiable information. How? The fish tank’s temperature control was connected via the Internet of Things (IoT) to the casino’s servers. What seemed like a harmless connection turned into a digital lock that hackers could easily pick. And choose they did.
While not every organization has a smart fish tank in their lobby, IoT technology is present in everything from assembly lines to coffee machines. This creates vulnerabilities when it comes to hackers looking for sensitive records because too many organizations ignore a critical security practice: asset management.
Technology beats security
After business use cases like smart doorbell technology and smart refrigerators became commonplace, IoT technology quickly spread throughout the business world. It’s easy to see why, as IoT enables teams to automatically access the data they need to make split-second decisions.
The problem, however, is that the technology has created a host of new security challenges. Imagine an office building that has been around for decades. One day someone decides to buy a smart coffee machine for the marketing team and connects it to the network. Soon, word spreads that marketing has this great new coffee machine, so the sales team buys one too. And so on and so on.
Meanwhile, in Building C, the workplace operations team is adding Amazon Dash buttons in restrooms so employees can order toilet paper when they run out. In the blink of an eye, smart devices are all over the building, each one a potential security leak vector, and the IT team doesn’t even know they were installed because no one thinks they need IT to set up a manufacturer. of cappuccino.
When employees walked out of the office during Covid, organizations had the perfect opportunity to inventory the IoT devices on their network. This crucial step, asset management, would have helped prevent future cybersecurity attacks. Unfortunately, this was far from common, as CISOs and CSOs were too busy figuring out how to secure their new remote workforces.
a silent problem
So the problem persists. Unfortunately, poor asset management is not getting the attention it so badly needs. This is a particularly glaring artifact of IT’s historical isolation from “business”: the two organizations are simply not having the necessary conversations about the risks of rogue IoT devices.
Regulators have failed to catch on to the fact that there is no longer a material difference between an espresso machine and a router, or a light bulb and a server.
The language barrier between IT and business goes both ways: the business side of the house often doesn’t think about IT and data security when looking at the risks and opportunities facing their organization. And when IT asks for additional budget, business teams have a hard time justifying the investment because they don’t see tangible ROI.
Unfortunately, the cost of fixing IoT security can seem high compared to the theoretical risk of an attack, which is why leaders don’t factor IoT security into their risk analyses. To fix this problem, executives need to have data-driven conversations about what the risk looks like and whether they’re willing to accept it.
Add to this the lack of regulatory oversight and the problem is compounded. Governments and regulators simply don’t pressure organizations to protect their vulnerable assets. Regulators have failed to catch on to the fact that there is no longer a material difference between an espresso machine and a router, or a light bulb and a server.
Until regulatory pressure increases, organizations and public entities will continue to face a heightened risk of cyber attack. For now, most companies face the very real possibility that an attacker could bring down an electrical grid through a refrigerator in the break room.
taking a step
The first step to solving this problem is to accept that the problem exists. That’s right, your prized collection of clownfish and surgeonfish can pose a real threat to your servers.
The second step is to gather your inventory of assets.
While not an easy task, asset management is possible and worthwhile. We have tools like the shared vocabulary of the Common Service Data Model. We have the ability to integrate different registration systems. But before we can effectively use the tools we have, we need to expand the reach of the conversation from data centers and desktops to everything in the enterprise. Including the fish tank.