The Internet of Things, also known as IoT, is a relatively new phenomenon that comes with great benefits and some potentially high risks. While we enjoy the benefits, we ignore the risks at our peril.
A few years ago, no one but a few techies had even heard of the Internet of Things.
Broadly speaking, the ever-growing IoT refers to devices connected to the Internet for the purpose of information transfer or process automation. Building owners and managers and homeowners are installing more and more devices that yield productivity, cost savings and pure pleasure. The usages for these devices is almost limitless and includes lighting, security, HVAC, communications, cellphones and their many apps, parking, utilities, scheduling and digital storage. Their boost of productivity, sustainability and convenience is a real plus and very good news for all of us.
Unintended and Unforeseen Risks
To put it bluntly, there are some serious unintended consequences that come along with the good news. These consequences arise from these devices and processes being installed and connected to the Internet with little or no understanding of the exposures they bring with them. They open a client’s most precious assets to unwanted intrusion and theft.
The Target breach is a vivid case in point. The intruders got into Target’s trove of customers’ personal information through its HVAC vendor (a classic IoT combination), and did it in such a way that Target did not notice the theft of its customers’ files until too late to do anything about it. Security professionals were not surprised. They know that the IoT has expanded the attack surface for the bad guys. Devices that are increasingly embedded in home and building ecosystems provide many more Internet points of entry for unwanted intrusion.
So, you might say, that was Target, obviously an inviting target, but no one would target my business—we are simply too small for anyone to care. In light of the May 2013 Verizon Data Breach Investigations Report, and other similar reports along the same lines, you might want to reconsider. “The ‘I’m too small to be a target’ argument doesn’t hold water,” the report states. “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no staff at all.” Other studies reporting that the vast majority of cyberattacks are aimed at small businesses are equally sobering.
“The scary thing about this number is that the small businesses are usually the least equipped to protect against an attack,” according to an Aeris Secure report. “Most hackers will prey on the weak. With technology being so prevalent in all businesses, few can afford to not pay attention and do whatever they reasonably can to protect their business and assets.”
A disturbing recent development for small businesses is the rise of “ransom-ware,” where a predator infects a company, usually a small one, with an encryption virus that encrypts the target’s data. The predator then demands a payment to provide the key. The payment demands to date have been small and businesses usually pay them because the cost of pursuing other remedies is much higher. Imagine, however, this model being applied to a modern building where the predator takes over the elevators and demands a ransom to turn them back on.
Meeting Risks Head-On
This should be a wakeup call for all business owners. If you are paying attention but are simply overwhelmed by the deluge of scary information hitting your inbox every day, the question becomes: What can a business owner reasonably do to protect the business from cyberattacks emanating through the Internet of Things that likely will result in loss of critical assets, reputation and remediation time and money?
You can and should be able to address your IoT exposures, and many others associated with your Internet presence, efficiently, cost-effectively and in a timely manner. Because your exposures are both related to information technology and not, your counsel and trusted IT governance and security partners should be on your team. A few lawyers are recognizing that, in this ever-expanding cyberrisk field, lawyering alone will not get the job done. By the same token, forward-thinking IT governance and security professionals know there is a lot more to the incoming risks than can be handled by IT protection alone.
A few concrete examples of the appropriate lines of inquiry should make the case. For starters, lawyers should, at a minimum, review their clients’:
• Social media policies and practices to ensure they have them and are doing the right thing in using social media, or not, in hiring.
• Contracts with cloud computing vendors to ensure they provide the actual location of clients’ data, what kind of security safeguards the vendor has in place, and whether the vendor can execute a legal hold on data when instructed to do so by the clients.
• Privacy practices, including a policy vetted by counsel and posted appropriately, and effective access control requirements.
• Compliance with state and federal statues regarding data security, including the Health Insurance Portability and Accountability Act.
The client’s IT governance and security professionals should review clients’:
• Computer system usage policies and procedures, employee access rights, backup protocols and change management policies.