Staying ahead of security “weak links” in the Internet of Things future
The explosive growth of the Internet of Things is an exciting trend for consumers, but it comes with many unknowns and risks for CIOs. From meeting the demands of a hyper-connected workforce, to staying ahead of emerging cyber threats, addressing IoT challenges and opportunities will be essential to thriving in the new digital economy.
Roota Almeida, head of information security for Delta Dental of New Jersey, will discuss this topic on stage at the upcoming MIT Sloan CIO Symposium. The Enterprisers Project caught up with her to discuss how CIOs can prepare their organizations for what's on the horizon.
The Enterprisers Project (TEP): What are the positive and negative effects of the influx of new connected devices on CIOs and/or IT organizations?
Almeida: Consumerization of IT has significantly changed the direction of technology absorption. Consumers are adopting the latest technologies and devices and are demanding the same at work. We have seen businesses struggling to adapt to this reality as we move beyond mobile devices and into the “Internet of Everything.” While the addition of sensors and connectivity to physical things is driving massive gains in efficiency, it is also posing a significant security risk for organizations.
In the past, data was stored in-house, and locked down. Organizations’ IT had physical and logical control over their data. That is rapidly changing. Small to mid-size companies are not looking to have in-house data centers anymore. Additionally, employee-owned devices have infiltrated the workplace. We live in a world where employees expect data access on any device, anywhere, and at any time. This issue has become prominent for companies and will become particularly challenging as the BYOD era evolves to include wearable devices. Beyond the omnipresent mobile devices in the workplace, always-on work mentality combined with telecommuting and the constant demand for information, leaves organizations in a tough spot. Finding balance between accessibility and security is a tough challenge.
We are in the initial stages of “Internet of Everything,” and it holds amazing potential for companies. CIOs must be prepared to adapt to this new trend by developing strategies to cash in on new opportunities and leveraging this explosion of data.
TEP: Are there any common “weak links” or areas that are particularly vulnerable to security risks that CIOs should be aware of?
Almeida: Continuing with the “Internet of Everything” trend, criminals are taking advantage of the increasing reliance on the smartphone as an authentication measure. This “connected device” could be the weak link where a malicious actor could intercept the text or code generation authentication elements built into mobile programs, to take over other accounts in a variation of man-in-the-middle attack. With this information, criminals can use the device as a key to access a broad range of information available to the user, including valuable corporate data.
Another vulnerable area CIOs should be aware of is the “old source code,” which could bring new chaos to the environment. It is the new Trojan horse waiting to be exploited! A large part of what makes information systems open to attack is that they contain “undocumented features.” The more experience one has with any one piece of software, the more holes can be found and/or closed. Yet, even a perfect fix will last only until the next innovation hits the system.
TEP: What other advice would you offer to CIOs about staying ahead of security risks in an IoT world?
Almeida: A few things:
- Follow the data – CIOs of today face a struggle between securing legacy equipment while trying to keep up with tomorrow’s leading edge technology, and it is pushing limits. In this “battle,” data is our most important asset. We must innovate our business approach and risk profile to embrace this.
- Identity and Access Management (IAM) has to be tackled – Users and their identities are the most vulnerable link in a network. CIOs are challenged with managing the identities and privileges of an increasingly diverse group of users who use a multitude of devices to log into systems both inside and outside the enterprise. A flexible Identity and Access Management that provides authentication and authorization services to cloud, mobile and social interaction within our enterprise IT solutions while enabling improved secure collaboration with our partners and vendors will be a great value add.
- Managed Services Partner – a must have – A managed security services partner will not replace your existing internal IT team, but augment it. They will bring in the expertise, threat modeling and other compliance and protection services you might not have internally — things that are needed to mitigate risk in line with regulatory obligations and business goals. It is much harder to bounce back from business interruptions or unexpected losses caused by IT security gaps. The cost of avoiding such threats is typically much less than the cost of recovering from them.
TEP: What do you think is the most important thing a CIO can do to help their organization thrive in the digital economy?
Almeida: To thrive in the digital economy, CIOs have to understand business and new technologies better. They have to learn how to create value from their data and understand new technical capabilities for the whole business, not just in the IT domain. CIOs have the ability and must help design the end-to-end innovation process that leads to a better business, and then enable it. Innovation can drive efficiencies and lead to competitive advantage; technology is one way of capturing both.