Threat or Opportunity? Risk Management of the Internet of Things
The Internet of Things (IoT) – a pervasive network of devices with their own software, sensors, and the capacity to communicate with other devices – has been an emerging technology for many years, with a widening range of applications in the commercial and consumer arenas.
They offer users the ability to remotely manage systems and devices to change their lighting, heating, and security at home, or monitor production systems remotely via the web, as just two examples.
IoT devices offer enormous scope and flexibility for businesses providing new services or seeking new efficiency savings. They can also provide convenience and peace of mind for consumers. Even before the pandemic, it was predicted the IoT market would be worth nearly $1.6 trillion by 2025. However, the IoT has received a significant boost from people working from home during 2020.
This was reflected in a recent article by Forbes which highlighted the IoT as a significant trend for 2021.
A novel challenge
For business managers, IoT presents a novel challenge. On the one hand, they are often advocates of its use. They like that they can use IoT devices in a controlled and secure way, ensuring that devices comply with corporate IT standards and are regularly patched, for example.
However, IoT departs significantly from their typical experience in light of how the use of IoT at home has exploded. More worryingly, many consumers are not aware of the risks involved. Nor even of the scale of IoT capabilities in their new fridge, washing machine, smart device, or headphones.
For business managers, IoT risk management was not an urgent need before March 2020. It now is.
Ubiquitous devices, ubiquitous risks?
With large swathes of the working population now working from home (WFH), for the foreseeable future, employers now have an interest in how their staff uses and secures technology at home. This issue is of significant interest to risk, compliance, security, IT, and operational managers at companies globally.
Unsecured IoT devices can be open to exploitation by hackers who wish to use them as a way into a corporate or personal network. From 2020 onwards, private and corporate networks have and will mingle to such an extent that an insecure domestic environment can impact a secure corporate environment via insecure IoT devices.
These risks come from multiple sources. Firstly, many people are not even aware that a device may be internet-ready. Secondly, passwords embedded in these devices often remain the factory default, ready for exploitation. Security patches may not always be up to date. Together, and in volume, they offer hackers an array of new surfaces to launch an attack.
There are practical steps people can take to secure their domestic IT environment:
- Use strong passwords, especially on routers at home.
- Enable firewalls on home routers and PCs.
- Apply patches and updates regularly.
Together, these will mitigate many risks.
Privacy issues may multiply
The – now very close – relationship between the corporate network and the home network presents privacy issues for management and obligations on staff to be mindful of how their personal technology environment can impact their employer and even their job.
Handled with thought and sensitivity, this gap can be bridged using a few sensible steps:
Education is a core element in IoT risk management for enhancing domestic technology security so that employees understand their responsibilities. Given the long-term interest in WFH, it is reasonable to raise the awareness of staff of the scale of IoT in their home, the risks it exposes them to, personally and professionally, and how best to mitigate these risks.
Policy management is also essential to IoT risk management, so people understand what issues they need to consider when developing new systems, processes, and corporate standards. Employment contacts will likely need to be updated to recognize the practical and technical realities of WFH and IoT. Corporate applications need to be developed assuming that insecure domestic environments may be utilized.
This potentially will force the use of enhanced security protocols or constraints on how sensitive information is disseminated. Consistency across the business is important here, so that everyone uses the same ruleset. Staff using multiple, inconsistent versions of a key policy is a recipe for a security gap that someone could exploit.
Compliance with corporate standards needs to be tested on an ongoing basis. Partly this is to test staff’s understanding of their responsibilities and how they apply them at home and work. It also highlights areas where there are consistent examples of the poor grasp and application of policies that may need addressing.
IoT risk management needs to evolve as fast as the tech
These approaches will help all sides understand their rights and responsibilities around the domestic technology environment while respecting peoples’ privacy and work-life balance. It also provides capabilities that allow these insights to integrate with corporate Governance, Risk & Compliance (GRC) processes, and the corporate risk register.
The advances of the Internet of Things will make technology more pervasive and powerful than ever. Right now, it’s up to IoT risk management professionals to take the steps necessary to ensure its security and compliance dangers don’t keep pace.