In Part 1 of this article, we looked at the risks to your systems that can originate with devices that make up the Internet of Things – devices like smart TVs, connected cars and healthcare devices, cameras, DVRs, and even “smart” cars and light bulbs. Of course, these risks are real, and they are current. The types and scope of smart devices are multiplying rapidly, many reasonably priced and attractive, in an environment where security standards or requirements are greatly lacking. Add to this the proliferation of attacks, and it is a risk level no organization can ignore. Even organizations that don’t currently use IoT devices need to be prepared with a plan of action and policies dealing specifically with the issue.
Here are some of the suggestions Kroll has provided to its clients regarding an IoT security action plan.
- Set policy about what can and cannot be attached to any company network. This should come from the highest level of the company, because this risk, while it may be technical, has the potential to seriously damage the company as a whole. Top management must support the concept that cyber security is vital, and that the company has a right and an obligation to control what can and can’t be connected to its networks. The importance of top level support can’t be overstated.
- Run a scan now to determine every device attached to your network. Additionally, consider preventing devices from attaching to your network without prior authorization from IT. It is possible to configure a network to make it very hard to attach an unapproved device. Having the network only accept connections from the unique MAC address of approved devices goes a long way toward this goal. Don’t think of this scan as being a one-time effort. Even where you’ve set up a network to prohibit attachment of unknown devices, running tests is a good security measure.
- Set policy relating to the acquisition of devices. Require any purchase of a device that can be remotely accessed through wireless technology to be coordinated with and approved by IT. The policy should require IT to document the permission and certify that it has checked and approved the device’s security and risk. Some may balk at the notion that IT has to be involved in the purchase of televisions or kitchen appliances with “smart” features, but given the reality of botnets and malware, there’s no good alternative.
- Set policy prohibiting devices from the network without permission. This applies to employees, contractors, and vendors alike, for any device, either wired or wirelessly.
- Perform third party due diligence. As part of the vetting process, ask for proof that your third party providers have commercially reasonable policies to secure against IoT problems, and whether those polices are actually implemented. With so many cases of cyber security breaches tied back to connected business partners or supply chain partners, their weaknesses can become your weaknesses, and there can be a real cost for connecting to a company with weak security.
- Consider coverage for your IoT-based risks. Check with your risk manager, insurance broker, and cyber-insurance carriers to determine whether your existing policies provide coverage. Also, for all existing policies, determine your obligations under the policies for notification. In some cases, failing to notify the insurer of a potential breach may negatively affect coverage. Be aware that carriers may have pre-approved “panels” of incident response companies, forensic experts, specialized attorneys, etc., that can be used without getting pre-approval from the insurer.
The unintended and unrecognized risks to your organization – and yourself – of the Internet of Things are very real. To defend against these threats, it is important that you take and document commercially reasonable steps to defend your organization.