The Risk Based Strategy
The Internet of Things, IoT, which “is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure,” includes everything from our computers and cellphones, to pacemakers and insulin pumps, to smart meters and toll passes. It is noted by Gartner, an American information technology research group that provides insight into security products and services, for CIO’s and their directors, that there will be 26 billion devices connected to the internet by 2020. The number seems unimaginable, but there are other company’s similar to Gartner who are predicting up to 30 billion devices connected to the Internet wirelessly. From a security view, this is a nightmare. How do we, who are in the security field, protect businesses, personal identifying information, malicious insider threats, hackers, advance persistent threats, and billions of devices that house multiple operating systems, with numerous vulnerabilities, accessing information through unsecured applications? Where do we start?
As a person who has visited multiple Fortune 500 companies, I can tell you we are in the midst of a grave battle.
Lately, I have spoken about how my security message has changed. I had believed that we could prevent attacks by acquiring the right tools. But large companies have easily 50 security management tools that they are using to monitor security threats, and still the cybercriminals are getting into the network.
We need to change the security strategy by realizing that we cannot continue to chase after the vulnerabilities. Chasing vulnerabilities has not been effective, and we need to shift our focus to a risk strategy, especially as the IoT continues to grow and more devices will be attaching to the network.
What is a risk strategy? First, we need to look at what is important in your company’s environment. Are you trying to protect proprietary data? If information of a design came out prior to a release date, would your company be hurt? Or are you, for example, in retail and you need to protect customer information? Regardless of the business you are in data must be protected from vendor files, employee information, and corporate strategy. What is your primary focus when it comes to your IoT?
The development of a risk strategy needs to begin with the question: What are you trying to protect? Once you understand your goal or goals, the next step needs to be to create a plan. This may seem simple, but companies seem to be chasing the vulnerability, without analyzing or understanding the risk of the vulnerability, to the company. For example, you may have personal computers in your test lab, which are still running Windows XP and thus are vulnerable because Microsoft no longer supports the operating system, however, because the test lab is on an isolated network, which means that the computers are physically separated from other networks, the vulnerability should be ranked low.
Simply put, if your home is about to be invaded, what do you focus on? Should you rush to the open garage door, knowing that the door between the garage and house is locked, and the only assets to be stolen, in the garage, is a rake and shovel? Do you try to hide your electronics and jewelry, before the thief’s loads your garden tools into their car? Or do you call 911, and lock your family in the panic room? Understanding what matters should dictate your security strategy.
A plan needs to be developed once a company understands which data is crucial and the risk in not protecting said information. When creating and implementing a strategy to protect critical data in the business infrastructure, it is necessary to look at all aspects of the IT infrastructure, including but not limited to the employees, contractors and vendors and how they connect. Do you allow people to connect outside of your internal network, maybe from home? Do you have additional authentication requirements if connecting from outside of your company’s internal network? It is just as important to understand how people connect to your critical data, as is identifying the critical data.
As a company develops a strategy for cybersecurity, it is important to educate the employees and to make sure that they are included in keeping their IT infrastructure safe. As employees have the ability to connect more of their digital items to themselves and consequently to a company’s network, it is important that they also take responsibility for good hygiene. What is good digital hygiene? Although there are tools which help in patching, one of the problems that companies have today, is employees who are working at remote locations. Often times they will go months without updates and the employees will continue to ignore and have the ability to forego patching, regardless if it is Microsoft, Adobe, Java and other software applications that often need updates. Good hygiene is patching when there is a notice that an update is ready. This task will go a long way in keeping your company safe.
The Internet of Things does not have to be a cybersecurity nightmare. The basic principles of a good security foundation remain the same, regardless of how many employees or digital devices that are connected.
[…] attacked some of the largest globally recognized companies. Nearly two years ago in Connected, http://thatisallfornow.com/?p=8887#.WBVtXFeMDBI, I spoke of the Internet of Things IoT, and how we are becoming more vulnerable as we add IP […]