×

Internet of Things initiatives demand targeted strategies to combat the influx of new cyber risks that will invariably accompany them. Companies across all industries can learn from some of the lessons already learned by technology, media, and telecom companies.

What makes the Internet of Things (IoT) different from the traditional Internet? People, for starters. The IoT doesn’t rely on human intervention to function. With the IoT, sensors collect, communicate, analyze, and act on information, offering new ways for technology, media, and telecommunications (TMT) businesses to create value—whether that’s creating entirely new businesses and revenue streams or delivering a more efficient experience for consumers.

But this also creates new opportunities for all of that information to be compromised. Not only is more data being shared through the IoT, among many more participants, but more sensitive data is being shared. As a result, the risks are exponentially greater.

Take the smart home as an illustrative example. Imagine a garage door opener with the added functionality to deactivate the home alarm upon entry. This is a convenient feature for a homeowner entering their home in a hurry. However, now the entire alarm system could potentially be deactivated when only the garage door opener is compromised. The broad range of connectable home devices—TVs, home thermostats, door locks, home alarms, smart home hubs, garage door openers, to name a few—creates myriad connection points for hackers to gain entry into IoT ecosystems, access customer information, or even penetrate manufacturers’ back-end systems.

Many TMT companies are already grappling with these cyber risk challenges, and learning lessons along the way. Those lessons include:

An integrated risk philosophy is not optional. In most large organizations, the approach to cyber risk may differ by region, product, or business unit. For many, that approach worked well—parts of the company that require a heightened approach to cyber risk handle their threats in one way, while others take a different tack. But the IoT is forcing many TMT business leaders to reassess this decentralized approach, since it tends to connect enterprises and their operations in unexpected ways. Safeguarding the IoT is complicated by the scale and scope of data being generated and collected, not to mention that much of it is actually held or accessed by third parties. As a result, many leaders are implementing an umbrella-level cyber risk paradigm, raising standards for cyber risk at every level of the organization, enterprisewide, from prethreat to post-event. That means preventing and anticipating IoT-related cyber threats before they take hold, monitoring and neutralizing threats already in play, and restoring normal operations as soon as possible when an organization is struck by a threat.

Cyber risk management and innovation must be on equal footing. More information creates more possibilities to create value: This is the promise of the IoT. Today, entire business models are launched on the idea of tight collaboration between organizations. Data is often the glue holding the models together, propelling companies to invest significantly in customer analytics capabilities to discover new customer value streams. Aside from device and system data, these collaborations are taking advantage of an exceptionally broad portfolio of data types, from employee rosters and inventory records to nontraditional data types such as facial recognition data, facilities access data, and industrial control system data, to name just a few. For many, this is uncharted territory and, along the way, data governance has failed to keep pace.

How do you exercise firm control over data governance in that environment? Tighten the controls too much, and you could squeeze the life out of much-needed innovation. Pursue an approach marked by loose oversight, and you could be exposed to outside cyber risks. Cyber risk and innovation are inextricably linked—one shouldn’t be subordinated to the other. Some of the most forward-looking executives in TMT are harmonizing these business imperatives by engaging with business leaders, both within their organization as well as outside, to establish a “baseline of normal.” By understanding what “normal” data activity looks like, possible abnormalities can be quickly and accurately flagged for further review.

No global risk standards? No excuse. IoT is an inherently shared ecosystem and operating model that crosses public and private sectors. Yet today, there are no uniform standards governing the IoT. If IoT partners operate strategically and cooperatively, immense value can be created for the consumer. However, in lieu of formal standards, this “shared responsibility” mindset to security and associated governance enforcement will not always work—security breaches have the potential to occur anywhere along the ecosystem, increasing the likelihood that this cooperative mindset may break down. Standards are almost certainly on the way, but most believe they’re years off. Meanwhile, the IoT continues to grow apace. Business and technology leaders have no choice but to begin developing and implementing their own global cyber risk standards, despite the lack of guidance.

While different industries have aligned in different consortiums, those in the TMT industries are widely expected to lead the charge. Interoperability among ad hoc point solutions is one issue where closer collaboration among all the players in the ecosystem is already beginning to happen. While much of the promise of the IoT lies in the ability to aggregate data, today’s data is generated in different formats, and sensors connect to different networks using different communication protocols. Without common standards governing the functioning of IoT-enabled devices, the barriers to interoperability are immense—but so is the potential business value derived from the IoT.

Retrofitting can work—but it introduces new risks. Some TMT companies are looking to implement IoT solutions on top of existing systems, or are closely collaborating with their own customers and partners who are attempting to do the same. Many of these existing legacy systems, which were once standalone and unconnected, are now vulnerable targets for hacking. Does that mean retrofitting should be avoided? Not necessarily. And given the cost of implementing new technologies, some of which may be obsolete in the near future, retrofitting may look like the stronger option.

Along the path to retrofitting, some are encountering new challenges. For example, with so many more points of communication introduced by the IoT, the simple, shared-system accounts and passwords associated with older security programs don’t pass muster. In other cases, it’s clear that purpose-built devices or add-ons designed specifically for the IoT are preferable. Either way, being aware of the risks arising from retrofitting, and accurately assessing them, are crucial steps to effectively managing these risks.

Loosely coupled systems can help now—in lieu of an overhaul. Even leaders working from a wish list of all the security features they would need to manage IoT-related cyber risks know that it’s unrealistic to expect to put them all to work in the near-term. However, they can begin putting the tenets of such a system to work today starting with the deployment of loosely coupled systems, which can help ensure that the failure of a single device doesn’t lead to widespread failure. IoT solutions need to be implemented in such a way that they blend organization-specific, operational capabilities with multilayered cyber risk management techniques.

* * * * *

The Internet of Things has moved from big idea to reality faster than most expected, much less planned for. But regardless of whether you’ve planned for it, it could already be influencing your organization’s cyber risk profile—and probably warrants more attention today. When organizations optimize their processes for IoT, they can uncover tremendous opportunity for value creation and capture, allowing them to innovate faster, make better decisions, and offer compelling products and services to their customers.

—by Irfan Saif, principal, Cyber Risk Services, Deloitte & Touche LLP