IoT is smart. Managing its risk is smarter
Gartner, the IT research and advisory firm, defines the Internet of Things (IoT) as “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”
IoT innovations are the building blocks to a digital business and essential for companies seeking digital reinvention. IoT is often referred to as smart technology and behind everything you’ve read about self-driving cars, self-monitoring healthcare, and Nest thermostats. Less discussed in the promise of IoT is the peril. Risk is a serious concern that has alarmed some while others remain ambivalent.
In a May 2017 survey jointly produced by the Ponemon Institute and Shared Assessments, 70 percent of risk professionals surveyed do NOT consider managing IoT risk as a top priority. The survey also found a ticking time bomb of pessimism among risk managers. 94 percent believe a catastrophic IoT security incident could occur in the next two years.
As McKinsey, a global management consulting firm, put it, “security issues may represent the greatest obstacle to growth of the Internet of Things.” As a risk manager, you have a pivotal role to play in managing IoT risk.
Action beats inaction
While IoT is a growing concern, risk is risk. It needs to be understood and managed. It makes sense to revisit the risk assessment and investigate the risk factors at work. Your best first move is analyzing your entire assessment process for addressing the risk from a hot new threat. When you think about it, the risk assessment is the essential tool in your toolbox for identifying and managing risk.
If you don’t ask the right questions, you won’t get the right answers to manage risk. Give your risk assessment questionnaire a top-to-bottom review with an eye toward IoT risk. Perhaps it needs an additional section of questions specific to IoT. For guidance, consider how you manage IT threats and vulnerabilities since IoT devices access the same networks and assets as computers.
For example, in the 2016 Mirai cyber-attack, a botnet brought down much of the Internet in America. The Mirai attack was unusual in that the botnet wasn’t made from computers. It was produced entirely from IoT devices like digital cameras and DVR players.
It’s easy to blame management, current processes, or claim there aren’t enough hours in the day to address what McKinsey calls a “nascent phenomenon.” A little effort put toward updating your processes can pay big dividends in minimizing IoT risk.
The buck stops here
When he was president, Harry S. Truman had a sign on his Oval Office desk that read: “The buck stops here!” It meant responsibility rested with him. He wasn’t going to pass the buck.
As a risk professional who manages risk on a daily basis, take a lesson from Truman and don’t let anything new and different slip past you. If there is an issue with their assessment answers, don’t be afraid to ask for explanation or detail. Your company’s security depends on your vigilance.
Only you and your team can decide whether or not a particular assessment passes. It’s easy to approve and move on. It’s harder to slow down, investigate, and expand your scope. To address the burgeoning IoT risk, the latter is required.
Streamline and do more
What if you could wave a magic wand and manage risk faster and add some wished-for capabilities? You don’t need magic. You need technology that can help you manage IoT risk as IT risk, operational risk, third-party risk, or an entirely new classification of risk.
The right technology platform empowers risk professionals to manage risk more efficiently and effectively. A platform up to the challenge of managing IoT risk can triage scanner data and dedupe results, automate risk management activities, simplify risk monitoring, and generate executive-level reports.
An IoT security incident could have catastrophic consequences for your entire company, not just the IT Department. Fortunately, these platforms can help you manage risk enterprise-wide. Other departments, given they have the proper credentials, can access the data collected to factor into their risk management programs.
The survey on IoT risk by Ponemon Institute and Shared Assessments is alarming. For risk professionals, it should be a wake-up call to take action, shoulder responsibility, and leverage technology. To get things rolling, revisit your risk assessment, the backbone of risk management.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.