The Internet of Things: A good news– bad news story

Here are a couple of takes from Resilience 2016, the 42nd annual RIMS Canada Conference that took place in Calgary this past September, on how organizations can handle the risks, and embrace the challenges, that are coming this way.

Picture a world where road sensors in a bridge can detect the presence of black ice, and send a signal to an oncoming vehicle telling it to slow down. Even if the driver ignores the warnings, the vehicle slows down, carrying on safely to its destination.

It’s just one example of the potential benefits the Internet of Things (IoT) could bring.

From improving worker safety, to home health monitoring enhancing quality of life, to increased company profits, the IoT – where everyday objects are equipped with network connectivity – promises to create smart, connected businesses, homes, cars and cities, transforming the way that Canadians live and work.

“From a TELUS perspective, we think there is a great opportunity there,” says Jeff Lively, TELUS Director Risk Management, Insurance & Claims, who sees the IoT becoming a much bigger part of people’s lives over the next few years. “With the Internet of Things, smart technology makes the impossible possible. The opportunities of the Internet of Things are as great as the imagination.”

As he speaks at the RIMS Canada Conference in Calgary in September, Lively paints a vivid picture of the potential benefits of the IoT.

So what’s the bad news?

“There are a lot of benefits to having the Internet of Things, but nothing is free. With benefits come risks,” says Gerry Kane, cyber-security segment director, risk engineering at Zurich North America, and the second speaker at this RIMS Canada session.

Nearly 60 per cent of surveyed IT professionals at large and medium-sized companies think the IoT presents the greatest security risk on their networks. The number of connected devices in place on the IoT is projected to be as high as a whopping 50 billion by 2020, and should be cause for caution, according to Kane, who points out that many devices that connect to the Internet are vulnerable right out of the box. Hackers can use those vulnerabilities as a way into a network, whether it’s at home or in the workplace.

“Vulnerability, and vulnerability management, are a huge part of the Internet of Things and the risk that goes along with it,” Kane says, noting that vulnerabilities are nothing new in software development. “Security has always been kind of an afterthought.”

In the event of something catastrophic happening, he asks, who is going to be responsible? Is it the company that deployed these devices, the company that manufactured them, the company that designed them, or sold them – or all of the above? “As risk managers, these are things to be thinking about. They are product liability issues.”

To address the potential risks posed by the IoT, Kane recommends following a risk management approach that encompasses five steps: identifying, protecting, detecting, responding and recovering.

First, identify what assets you’re protecting. “It sounds basic, but you’d be surprised how many companies haven’t bothered to think about it,” he notes.

Once you’ve done that, you can then move into protect, laying out controls.

“Non-technical user awareness is probably the most effective, lowest cost-protective measure you can have, with a really solid awareness program,” Kane says. “Unfortunately, most hacks begin with hacking an individual, either through phishing or getting a person inside a network to do something they shouldn’t do, like clicking on a link or divulging their password. Most breaches, including all of the really high profile ones, began with a low tech entry into the network through hacking the individual.”

Another important part of ‘protect’ is limitation and segmentation. “Do you really need to open these devices up to the rest of the world? You need to at least consider these things before you go full bore into the Internet of Things,” Kane says. “Is it really that important? If it is, you’ve got to protect these devices and segment them from the rest of the network, limiting access.”

This includes changing passwords regularly, and ensuring that devices are authenticating traffic. “Strong and multifactor authentication should be a part of any Internet of Things strategy,” Kane says. Encryption can solve most problems if it’s handled the right way, so that even if hackers get in, they won’t be able to do anything malicious.

“Authentication and encryption are really important to protect yourself, not only in the IoT, but also your network in general.”

Companies that are doing security well are investing much more in detection and monitoring capabilities, so that someone is watching over the network 24/7, says Kane, who recommends that companies have disaster recovery and business continuity plans in place in the event of an incident. Incident response plans are critical, and need to be tested multiple times each year.

And, because it’s such a big risk, C-suite and board of directors involvement is a must, “so they in turn can give you the resources you need to protect the company.

“Security is a process, not an event. It has to be baked into the whole development process, and into employee training for everyone, from the mail room to the board room.”

__________________________________________________________________________
Copyright © 2016 Transcontinental Media G.P. This article first appeared in the October 2016 edition of Canadian Insurance Top Broker magazine

This story was originally published by Canadian Insurance Top Broker.