With organizations apparently having learned little from the past, it appears most Internet of Things (IoT) projects are moving forward without much forethought being put into cybersecurity. A new survey of 553 executives published by the Shared Assessments Program, an industry standards organization focused on risk assurance, in collaboration with The Ponemon Institute finds that 67 percent of those surveyed are not evaluating IoT security and privacy practices before engaging in a business relationship. A full 77 percent of respondents also admit they are not considering IoT-related risks in their third party due diligence.
Not surprisingly, only 44 percent say their organization is able to protect their network or enterprise systems from risky IoT devices. In fact, most appear fatalistic about IoT security. More than three quarters (76 percent) say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years, and 94 percent noted that such an attack would likely to prove catastrophic.
Preparing for IoT opportunities
Most managed service providers are not yet ready to help customers manage and secure their IoT environment. But it’s already clear that IoT represents a massive opportunity that is just over the next horizon. In the meantime, one way MSPs could leverage much of their existing security expertise is by providing IoT risk assessments.
In the wake of high-profile IoT attacks last year, there aren't many executives who are unaware of the inherent risks associated with IoT. What many of them need to know now is what level of specific risk they'll face when moving an IoT application into production. The first step in determining that risk is, of course, figuring out what types of attacks might be launched. After all, there are different levels of risk associated with various types of attacks, ranging from malware moving laterally via an IoT gateway to infect the entire organization to potential liability when a device is hijacked as part of a global distributed denial of service (DDoS) attack.
Challenges for managed service providers
The biggest challenge MSPs are likely to face when trying to convince business executives to fund such projects is likely to stem from the assumption that cybersecurity is a problem that can be solved rather than a process that needs to be maintained. An article by an organizational behavior expert published by Harvard Business Review (HBR) this week advises cybersecurity professionals to focus more on risk management instead of risk mitigation. In the latter case, IT security is a problem to be solved using a finite amount of resources within a given amount of time. In the case of risk management, IT security is clearly an ongoing process that needs to be reconsidered every time a change is made to the IoT environment.
While the technology involved in an IoT project may seem relatively straightforward, the risks to the business that those projects represent are nothing less than massive. Savvy MSPs will take the time to connect the IoT dots in the minds of business executives who habitually weigh risk versus opportunity. The real issue, of course, is making sure the right calculus for determining those IoT risks is being applied.