How to define an IoT cyber security policy

Recruitment firm, Stott and May, provides guidance on how UK organisations can ensure they secure the Internet of Things

This is a contributed piece by Simon Kouttis, Head of Cyber Security Practice, Stott and May

The benefits of the Internet of Things (IoT) are widely understood; the potential dangers, maybe less so. AT&T’s 2016 Cybersecurity Insight Report had some illuminating and worrying findings: while some 86% of companies are looking to adopt the technology, only 14% have a formal process to establish their total number of devices – and the relative safety of these devices. Worse still, only 17% involve their boards with their IoT protection efforts.

But even at board-level, the situation is far from ideal. One survey found that 52% of UK CIOs believe that, if they were to suffer any kind of security breach, they’d know which systems were affected, and to what extent, within 24 hours. In reality, it takes around 256 days to detect an attack – and on regular systems, which aren’t comprised of interconnected IoT nodes and sensors.

The IoT-enabled world may well revolutionise the enterprise, and the potential risks should not put off companies that might benefit from its advances. The early stages of any technology’s lifecycle are always a little awkward. But make no mistake: overconfidence can be deadly, inexperience will be exploited, and businesses intending to use IoT devices must take care to ensure that their safety protocols keep pace with their rate of adoption. 

IoT risks

The IoT is, to some extent, a victim of its own clichés.

For example, the ‘connected car’ has become a popular trope, so when there’s talk of security issues, the headlines are invariably about car hacking. Just as the self-driving automobile masks the wider benefits of the IoT, the panic about some real-life Bond villain seizing control of traffic masks deeper, subtler – but no less troubling – issues. Hackers aren’t going to go to great lengths just to make people late for work, and neither are they especially interested in turning off fridges and TVs. These things are nodes that serve as entry points into other systems: they’re interesting to attackers because they offer access to systems and data.

Accordingly, the more devices you have, the more you need to protect. This can be a tall order if you haven’t got the requisite cyber security expertise in your team – so preparing this team and, in some instances, expanding it can be an excellent way to safeguard your company. 

Cyber literacy

According to IBM research, 95% of cyber security incidents involve human error. The value of reducing the capacity for this kind of error is obvious – and particularly as IoT-enabled devices cause potential attack vectors to multiply.

Naturally, every new cyber security hire should understand the legal and compliance dimensions of cyber security as they relate to interoperable devices, systems, and networks. Whatever your IoT setup, it must adhere to laws such as the UK Data Protection Act and the EU General Data Protection Regulation (which will apply post-Brexit – it’s for any company that handles the data of EU residents) and standards such as PCI DSS, or your company may face heavy fines.

Your cyber security professionals should have the technical understanding to comply with these various rules, to undertake routine risk assessments, and to find a means of adherence that also protects your commercial and operational interests. But they also need to be top-shelf communicators and educators, because not everyone who uses your IoT setup will have this level of technical understanding – and potential cyber attackers are apt to exploit this fact.

If your staff aren’t fully apprised of the IoT’s various risks, your capacity for human error increases exponentially. Every member of staff should receive extensive preventive training, where everyday mistakes – leaving a device or workstation with access to critical systems logged in on a lunch break – are illustrated alongside malicious, attacker-driven dangers such as phishing emails. If you use contractors or project workers, ensure that they’re thoroughly vetted and referenced, and that they have no more access to your network than they strictly need.

Success stories – and cautionary tales

It’s also essential to understand that sometimes, none of this will matter. Some hackers, through luck or persistence, will eventually find a way to compromise your system. When this occurs, it can cause significant damage to your reputation and finances: if they affect particularly sensitive information, you may have to disclose the breach. If you’re forced into this position, you need to have a contingency plan: the damage may already be done, but you can prevent it from spreading even further.

You can’t defend against every attack, and nor should you be expected to. But with the right people and the right practices, you can stay up to date – and, in most cases, a couple of steps ahead of would-be attackers. We are still in the early days of the IoT, and your approach to security can dictate the narrative around your company. You can use the technology to your advantage, connecting devices, automating processes, and remaining relatively safe in the process – or you can become a cautionary tale. The IoT can be a boon or a burden – whichever it turns out to be is ultimately up to you.


Also read:

The IoT “time bomb” report: 49 security experts share their views