How the proliferation of insecure IoT devices is putting organizations at risk.
Consider the innocent fish tank. If the last thing that comes to mind is threat, you might want to think again.
In 2017, hackers used this innocuous aquatic equipment to infiltrate a casino’s database and steal confidential records, including personally identifiable information. How? The aquarium’s temperature control was connected via the Internet of Things (IoT) to the casino’s servers. What seemed like a harmless connection became a digital lock that hackers could easily open. And they chose.
While not every organization has a smart fish tank in their lobby, IoT technology is pervasive in everything from assembly lines to coffee machines. This creates vulnerabilities when it comes to hackers snooping around confidential records because many organizations ignore a fundamental security practice: asset management.
Technology trumps security
After commercial use cases such as smart doorbell technology and smart refrigerators became commonplace, IoT technology quickly spread across the business world. It’s easy to see why, as IoT enables teams to automatically access the data they need to make split-second decisions.
The problem, however, is that the technology has created a plethora of new security challenges. Imagine an office building that has been around for decades. One day, someone decides to buy a smart coffee machine for the marketing team and connects it to the network. Soon, word gets out that marketing has this great new coffee machine, so the sales team buys one too. And so on and so on.
Meanwhile, in Building C, the workplace operations team adds Amazon Dash buttons to restrooms so employees can order toilet paper when they run out. Before long, smart devices are all over the building, each a potential vector for security leaks – and the IT staff doesn’t even know they’ve been installed because nobody thinks they need IT to set up a cappuccino machine.
When employees left the office during Covid, organizations had the perfect opportunity to inventory the IoT devices on their network. This crucial step – asset management – would have helped prevent future cybersecurity attacks. Unfortunately, this was far from common, as CISOs and CSOs were too busy figuring out how to secure their new remote workforces.
a silent problem
So the problem persists. Unfortunately, poor asset management is not getting the attention it badly needs. This is a particularly glaring artifact of the “business” IT siloed history — the two organizations are simply not having the necessary conversations about the risks of rogue IoT devices.
Regulators have not woken up to the fact that there is no longer any material difference between an espresso machine and a router, or a light bulb and a server.
The language barrier between IT and business is two-way: the business side of the house often doesn’t think about IT or data security when contemplating risks and opportunities facing their organization. And when IT asks for an additional budget, business teams have a hard time justifying the investment because they don’t see a tangible ROI.
Unfortunately, the cost of fixing the IoT security issue can seem high compared to the theoretical risk of an attack – so leaders are not factoring IoT security into their risk analysis. To fix this problem, executives need to have data-driven conversations about what risk looks like and whether they’re willing to accept it.
Add to that the lack of regulatory oversight and compounding the problem. Governments and regulators are simply not putting pressure on organizations to protect their vulnerable assets. Regulators have not woken up to the fact that there is no longer any material difference between an espresso machine and a router, or a light bulb and a server.
Until regulatory pressure mounts, organizations and public entities will continue to face a heightened risk of cyberattack. For now, most companies face the very real possibility that an attacker could knock out a power grid through a break room refrigerator.
taking a step
The first step in solving this problem is to accept that the problem exists. That’s right, your award-winning collection of clownfish and spikelets could pose a real threat to your servers.
The second step is to gather your asset inventory.
While not an easy task, asset management is possible and worth it. We have tools like the Common Service Data Model shared vocabulary. We have the ability to integrate different systems of record. But before we can effectively utilize the tools we have, we must expand the scope of the conversation from data centers and desktops to everything in the enterprise. Including the fish tank.