IoT: Do Risks Outweigh Benefits?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/iot-do-risks-outweigh-benefits-a-7754

Many forecasts call for 2015 to be the year of the Internet of Things - a
year for IT security professionals to find themselves stretched to cover
activities outside their usual responsibilities.

But are Indian security leaders prepared to embrace IoT? Not according to
interviews conducted in response to a recent ISACA survey on the topic. The
IoT risks, for now, outweigh the benefits, these leaders say. And they fear
that the trend may lead to an increase of security threats within the
enterprise, as well as a decrease of personal privacy.

"IoT is a good topic from a discussion point of view, but not from the
adoption standpoint," says Mumbai-based Sanjay Sharma, associate director
and regional security manager, Asia Pacific, at Merck Ltd, a pharmaceutical
company. "Indian enterprises are nowhere near to dealing with the threats
or data breaches arising out of inter-connected devices and sources."

The IoT Challenge

Gartner defines IoT as: "the network of physical objects that contain
embedded technology to communicate and sense or interact with their
internal states or the external environment."

In practical terms, IoT includes everything from personal medical devices
to smart cars and Internet-enabled consumer appliances, such as televisions
and refrigerators.

ISACA, the information security professional organization, recently
conducted a 110-country 2014 ISACA IT Risk/Reward Barometer survey of IT
and security pros and found that these individuals have conflicted feelings
about the benefits of connected devices. Most IT departments are still not
ready for the IoT, the survey finds, because CISOs fear IoT adoption will
increase security threats.

Among the survey's findings:

37 percent of respondents see IoT as the top challenge for organizations,
owing to increased security threats;
28 percent expect IoT adoption to result in data privacy issues;
36 percent believe the risk associated with IoT would outweigh the benefits.

"One of the biggest takeaways from this year's study is the significant gap
between people's concerns about protecting their data privacy and security
versus the actions they take," says Vittal Raj, international vice
president of ISACA. "Businesses need to address this gap by aggressively
educating customers and employees about how they can help reduce the risk
or minimize the impact of data breaches or hacks by adopting IoT."

India's Response

In discussing IoT, some regional experts argue that, in India, the practice
of privacy protection is not fully embraced, except by industries such as
telecom, which are regulated. Hence, trends such as IoT will pose new
challenges for CISOs.

"There is an imminent requirement for awareness on privacy and formalizing
privacy laws in Indian organizations," says Mumbai-based Durga Prasad Dube,
senior vice president and security head at Reliance Industries. "Maybe
[Indian organizations should] create a privacy office which can define IoT
projects, policies and procedures and make CISOs responsible for securing
the environment, all of which is still a distant affair."

Experts say some CISOs are apprehensive about IoT because all
Internet-enabled devices can be used by attackers as zombies, so being
prepared for large-scale attacks is a huge challenge. Others maintain that
their BYOD policies do not allow the use of IoT devices - particularly
wearables - because of security concerns.

Dube agrees that BYOD becomes a bottleneck for the adoption of IoT. "It is
important for CISOs to fortify sound controls around BYOD, get the
necessary feedback from the stakeholders and then develop policies around
IoT project or using personal wearables," Dube says.

Planning for IoT?

Despite the IoT challenges, according to ISACA's survey, 31 percent of
respondents still seem to be lured by this trend and said they planned to
leverage it.

A word of caution from Sunder Krishnan, chairman of ISACA's India Growth
Task Force: IoT should emerge as a strategic initiative, not a tactical
plan.

"Companies should take an 'embrace and educate' approach to these devices
by creating clear policies and educating employees on appropriate use that
can result in increased productivity - a benefit to the enterprise,"
Krishnan says.

Merck's Sharma says security teams must take the lead here and define the
course of action to deploy IoT.

"CISOs must take a holistic approach to understand risk management, IT and
compliance, and use a collaborative mechanism to monitor every aspect of
the project and prescribe zero tolerance towards any violation of any
clause of the security policy," Sharma says.

When it comes to secure IoT, ISACA's Raj recommends that CISOs look at
leveraging security knowledge platforms and professional programs to
understand the nuances of IoT and methods to secure the environment.

"Every enterprise should make its security portfolio agile by building the
skills of its employees at various levels and equip them to tackle all
kinds of threats," Raj says.

Some security leaders also recommend developing a security standard for IoT
device vendors, creating authentication and encryption standards for all
devices and middleware to address secure communication, data retention and
privacy.

And with IoT comes the need for a complete overhaul of the employee
education process.

"The education should be on how to use IT securely in any new technological
environment," Dube says, "rather than the policy or its guidelines, which
would be more holistic in nature."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!