Game-Changing Security Hazards Will Develop as IoT Grows
As the IoT moves toward the core of digital business, the integration of security domains will likely introduce game-changing hazards. But, some organizations…
August 01, 2017 at 01:46 PM
5 minute read
The original version of this story was published on Law.com
As the IoT moves toward the core of digital business, the integration of security domains will likely introduce game-changing hazards. But, some organizations have executed an integrated IoT cybersecurity program.
In fact, PwC issued its new (4th) installment recently of The Global State of Information Security (GSISS) Survey 2017 –Uncovering the potential of the Internet of Things – focused on how organizations are addressing cybersecurity and privacy for converged technologies. Grant Waterfall, PwC US Cybersecurity & Privacy Deputy Leader, sat down with Inside Counsel to discuss the report and how the right cybersecurity and privacy safeguards can help businesses optimize the promise of IoT.
Until recently, a cybersecurity exploit leveraging the IoT was a theoretical concept. That changed one morning last fall, when an army of IoT devices carried out a massive Distributed Denial of Service (DDoS) attack on Dyn, a Domain Name System provider. Hundreds of thousands of compromised IoT devices, including cameras, webcams and routers, hit Dyn's headquarters with a DDoS attack that leapfrogged around the world, taking down major websites in its wake. By that afternoon, cybersecurity for the IoT had quickly escalated from an esoteric information security discipline to mainstream news. Suddenly, IoT security and privacy had become a new business priority.
Risks of future compromises will very likely increase as connected devices proliferate, according to Waterfall. In fact, Gartner, Inc. forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020”. Approximately one-quarter of respondents to The Global State of Information Security® Survey 2017 report exploits of IoT components like operational technologies (OT), embedded systems and consumer devices.
“As the IoT moves toward the core of digital business, the integration of security domains — IT, OT and consumer technologies — will likely introduce game-changing hazards,” he explained. “These potential risks include disruption in the information flow among connected devices, physical interference with equipment, impacts on business operations, theft of sensitive information, compromise of personal data, damage to critical infrastructure and even loss of human life. Yet few organizations have executed an integrated IoT cybersecurity program, largely because implementation standards or frameworks have been slow to emerge for the platform.”
Beyond security, many privacy issues surround IoT implementation, related to the collection, storage and use of data flows of information acquired through the use of IoT devices. When the collection and use of IoT data includes personal information, or if the information collected can be used to paint a picture of an individual's activities, businesses must then consider the privacy risks associated with processing this data. Since IoT security and privacy is a nascent discipline, most businesses lack the expertise and resources to design, deploy and operate a program on their own.
Still, many are starting to take action on the security and privacy fronts, according to Waterfall. This year, 35 percent of GSISS respondents said they have an IoT security strategy in place, and an additional 28 percent are implementing one. Additionally, 46 percent of respondents said they will invest in security for the Internet of Things over the next 12 months. They plan to fund initiatives such as development of new data-governance policies, device and system interconnectivity and vulnerability, employee training and uniform cybersecurity standards and policies.
So, how are organizations addressing cybersecurity and privacy for converged technologies?
“It's good news that organizations are beginning to address cybersecurity and privacy for converged technologies, but much remains to be done,” he said. “Those that take proactive steps to implement an integrated IoT cybersecurity and privacy program will be better prepared to manage inevitable future risks and create new products and services that can transform business models.”
The IoT is poised to upend business models, disrupt economies around the world, and deliver unprecedented conveniences to society. An integrated cybersecurity and privacy program is key to realizing potential advantages as the Internet of Things unfolds. At the end of the day, businesses that align IoT product and systems development with emerging cybersecurity standards and safeguards will have a head start realizing advantages on the interconnected platform of tomorrow.
Many businesses are deciding that the opportunities of the IoT are simply too compelling to ignore, according to Waterfall. They see the emerging platform as a catalyst of change, a vehicle to boost competitive advantages, increase operational efficiencies and create new revenue streams. But, the trouble is, many are jumping into the IoT before they implement cybersecurity safeguards. He said, “The lack of IoT standards is a significant hurdle, but it is not insurmountable.”
“Given the sprawl of cybersecurity technologies deployed across organizational ecosystems, we would advocate that enterprises begin the dialogue now with their technology product partners regarding the path forward to identifying, securing and managing data produced or transacted on by an IoT capability,” said Shawn Connors, Principal, PwC. “We believe that many organizations will find that existing enterprise-class technologies are going to be quickly extended to manage and protect the flow of data within and across IoT networks.”
A cybersecurity program for the IoT does not necessarily require wholesale purchase of new technologies and solutions. Instead, organizations can start by integrating core IT cybersecurity safeguards with their IoT infrastructure. Some forward-thinking businesses are employing Enterprise Security Architecture (ESA) to build IoT security that is baked into architectural components across domains.
“To be most effective, training should be tailored to the individual company's threats, response-readiness and processes. Fostering a culture of security will be most effective when executive leaders proactively articulate the importance of a secure business environment,” explained Waterfall. “Organizations need to set the tone from the top, making security training really about enabling the company's digital future. They then need to tie training to the purpose of the company and design awareness programs around that.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllSEC Penalizes Wells Fargo, LPL Financial $900,000 Each for Inaccurate Trading Data
US Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Trending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250