Legal Watch: The Perils of the IoT

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/12104874/the-peril-of-the-iot

The Internet of Things, or IoT, is relatively new, and it offers both
benefits and potential risks. Security providers should enjoy the benefits
— but ignore the risks at your own peril.

Broadly speaking, the IoT refers to devices connected to the Internet for
the purpose of information transfer or process automation. The world is
installing more and more devices that yield productivity, cost savings and
pleasure. Yet, serious unintended consequences accompany the IoT. For
electronic security providers, they open a subscriber’s most precious
assets to unwanted intrusion and theft.

The Target stores breach is a vivid case in point. Intruders accessed
Target’s trove of customer-related personal information through its HVAC
vendor (a classic IoT combination), and Target failed to notice the theft
until it was too late. Security professionals were not surprised. They knew
the IoT has expanded the attack surface for the bad guys. Devices that are
increasingly embedded in premises provide many more Internet points of
entry for unwanted intrusion. What strikes me is how easy it is to imagine
this happening to a security contractor rather than an HVAC contractor.

Target is an inviting target (no pun intended). You may think no one would
bother to go after other, smaller businesses because they are simply too
small for anyone to care — not true. According to a Verizon Data Breach
Investigations Report, and other similar reports along the same lines, “We
see victims of espionage campaigns ranging from large multi-nationals all
the way down to those that have no staff at all.”

Other studies reporting that the vast majority of cyber-attacks are aimed
at small businesses are equally sobering. “The scary thing about this
number is that the small businesses are usually the least equipped to
protect against an attack,” according to an Aeris Secure report. “Most
hackers will prey on the weak. With technology being so prevalent in all
businesses, few can afford to not pay attention and do whatever they
reasonably can to protect their business and assets.”

This should be a wake-up call for all business owners. If you are paying
attention but are simply overwhelmed by the deluge of scary information
hitting your inbox every day, the question becomes: What can a business
owner reasonably do to protect the business from cyber-attacks emanating
through the Internet of Things that likely will result in loss of critical
assets, reputation and remediation time and money?

You can and should be able to address your IoT exposures, and many others
associated with your Internet presence, efficiently, cost-effectively and
in a timely manner. Because your exposures are both related to information
technology and not, your counsel and trusted IT governance and security
partners should be on your team. A few lawyers are recognizing that, in
this ever-expanding cyber-risk field, lawyering alone will not get the job
done. By the same token, forward-thinking IT governance and security
professionals know there is a lot more to the incoming risks than can be
handled by IT protection alone.

It is critical that leadership at the top sees to it that data, device and
process security are seen as an enterprise concern. With the right legal
counsel and IT governance and security professionals on your team, you can
effectively address both the IT and non-IT risks embedded in the IoT.

I strongly recommend that you have the conversation with your counsel and
ask for a plan to assess and remediate your real-time risks. Your goal
should be to achieve the ability to make informed risk-management decisions
about your multiple risks, specifically whether to remediate them, transfer
them by way of cyber-insurance or ignore them. Whatever you decide, you’ll
be much more likely to make the right call with the right
cross-disciplinary team in place.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!