-by Jason Howells, Director EMEA, MSP Business at Barracuda Networks
You’d have to have been living under a rock not to have noticed the huge ransomware risk that has swept the globe in recent months. You’ll know all about human error and the importance of internal access segregation, and have probably discussed - and have hopefully implemented - staff training for phishing emails. You’ve likely spoken to your IT department about a BYOD (bring your own device) policy, MDM (mobile device management), and putting up big digital walls externally and internally around your data, with little need-to-know doors, the keys to which are held only by the relevant people.
But, according to a new survey of 553 executives published by the Shared Assessments Program, there is one thing companies aren’t asking for.
There is a big gaping hole in most companies’ reactive and proactive cyber defence strategies (and if you think it sounds like I’m talking about a wartime siege, it’s because you are under attack, and this is a war); and that hole is IoT-shaped.
Despite the rampant IoT (internet of things) related attacks, 67% of you are not evaluating IoT security and privacy practices before engaging in a business relationship, with a full 77% also admitting to not considering IoT-related risks in third party due diligence. It’s unsurprising then, that only 44% of companies think their organisation is able to protect their network or enterprise from risky IoT devices. In fact, most appear fatalistic about IoT security. More than three quarters say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years, and it seems commonly understood that this would either destroy or severely jeopardise a business: 94% of those surveyed noted that such an attack would be likely to prove catastrophic.
In business today, moving forward with IoT-related projects is pretty much unavoidable. While the technology involved in an IoT project may seem relatively straightforward, the risks to a business that those projects represent can be nothing less than massive.
Levels of vulnerability to attack vary hugely, and risk mitigation is almost impossible; but as we’ve established, you probably already knew this. But contrary to popular belief, that doesn’t mean all is lost.
Management not mitigation
Home truths time: you need to move away from the mindset that cybersecurity is a problem that can be solved rather than a process that needs to be maintained. Cybercrime is here; and no matter what you do, it’s here to stay. It’s far too lucrative a business for sophisticated criminals to simply give up because we invented a new firewall or phishing defence technology. The constant state of flux which is the IT industry means that everything is up for grabs from both sides of this battle; and no matter what cybersecurity experts or your IT department or IT service provider do, there is someone working equally hard on the other side to undo that work.
What you need to know now is what level of specific risk you’ll face when moving an IoT application into production. The first step in determining that risk is, of course, figuring out what types of attacks might be launched.
The bottom line is risk is involved in everything, and adopting technology is no different. If you’re a business executive, you’ll habitually weigh risk versus opportunity, but lengths are always taken to get as good a handle on the risk as possible.
The real issue, of course, is making sure the right calculus for determining those IoT risks is being applied.