No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

IoT Devices: Lion Cubs Surrounded by Hyenas

Most Companies Are Unaware of Third-Party IoT Security Measures

by James McQuiggan
July 24, 2020
in Cybersecurity, Featured
snarling hyena on neutral background

IoT risk management and security don’t seem to get the attention they deserve until there’s a data breach. KnowBe4’s James McQuiggan discusses the often-overlooked cyber risk associated with using IoT devices and what organizations can do to protect themselves.

Thinking back a few weeks ago to a family movie I watched, I remember how it told the story of a lion cub that ventures out and discovers an elephant graveyard. To the lion cub, it seems exciting, and he wants to check it out. However, his father already warned him, telling him to stay away from the graveyard because it’s where the dangerous hyenas live. The young lion cub and his friend decide to explore it anyway and are soon surrounded by hyenas. Spoiler alert, the father leaps in at the last second to scare the hyenas off, and the lions head home. The IT administrator of an organization, in this case, is the father, and the young lion cub represents the IoT systems that connect to the network.

The IoT devices are young, curious and lacking security features, making the risk of attack more significant. However, organizations continue to add IoT devices to their infrastructure. They increase their exposure and attack risk unless they initiate a robust risk management program to isolate and secure the devices.

Consider how many IoT devices you have in your home (if you have a device that connects to the internet or your home network that doesn’t have a monitor or keyboard attached to it, it is most likely an IoT device). Your security cameras, baby monitors, lightbulbs, video-capable doorbells, smart TVs, smartwatches, thermostats, refrigerator and voice-activated speakers with personal assistants (Siri, Alexa, Google) are some IoT devices found in the home.

What about the IoT devices utilized in businesses?  

Hopefully, Alexa is not utilized in the workplace, let alone remotely at home within earshot of peoples’ workspaces. With a significant amount of the workforce now working at home and having all of their IoT devices on the same network as their office laptops, the risk of cyberattacks is significantly higher. IT departments cannot monitor your home network. This environment is essentially an IT admin’s worst nightmare. It’s like the lion cub has ventured past the badlands and is permanently stuck there for the unforeseeable future.

Rush to Market

IoT risk management and security do not always appear to be at the forefront of most companies until there is a data breach resulting from a compromised product. After this, the effort to secure it becomes a high-level focus, and the necessary security features are added to the product. Budgets are approved, resources are provided and the organization works to provide a secure product. The race to get a product out to market seems always to be more critical compared to the energy and resources allocated to adequately secure the IoT device from the beginning.

IoT developers want to develop products to ensure they aren’t shipped with default passwords and that they prompt users to change default configurations on first use. Utilizing a secure development life cycle (SDLC), where the information security department is involved from the beginning, and making it a development gate can ensure a more secure product. Having the proper security features has proven to reduce the risk of the IoT. Otherwise, the risk is transferred to the organization that utilizes it, and members of the organization must then take steps to secure it properly.

There are occasions where an organization does utilize a strong SDLC and then discovers a vulnerability within the product. In most cases, a fix is provided, but it still falls to the owner to mitigate the risk until a patch can be applied. Additionally, the patch may not be applied to availability issues or problems with implementing the fix, adding further exposure and risk to the organization to mitigate the issue. From another perspective, how many organizations have IoT devices that contain vulnerabilities and that have a patch available, but don’t have a proper change control program to support the IoT devices?

Risk Management

Here’s something cybersecurity professionals not working as a CEO or CISO may struggle to understand, as explained by the owner of a cybersecurity consulting company: Your upper manager or C-suite officer accepts a lot more risk than what the cybersecurity expert thinks should be taken on. 

It’s not unusual for a security professional to deliver a security risk management presentation to upper management to request that specific features, programs or policies be implemented to protect a product or internal feature. When it comes to presenting upper management, for them, it’s not about security. It’s about risk and how much risk is acceptable for them, and this amount is going to be a lot greater than we security professionals are willing to accept.

Your security is only as good as the weakest element in your organization’s risk management program. Your chain is only as strong as the weakest link. The same applies to your risk management programs for your suppliers, vendors or IoT devices.

Organizations that provide a product will work to get it to market quickly and worry about some risk. C-suite management and board members take on a more significant threat than the CISOs feel they should. Security professionals feel it’s a game of Russian roulette when it comes to budgets of what programs to use versus what they want to have completed.

IoT is playing similar risk scenarios with products that don’t have the security features the security industry wants them to have; therefore, mitigating measures are needed to secure the devices. It’s challenging to secure an organization when the weakest link is an IoT device that has been accepted by the business and approved by upper management.

Compliance and IoT Can Be Tricky

Many compliance requirements may be too difficult or even impossible to meet with an IoT device. For example, a product vulnerability assessment might make it possible to document any open ports, but might not be effective at detecting vulnerabilities. If an organization has an active scanning tool going on and off the network, they might document a list of all IoT assets. However, in most cases, it’s a challenge to track current servers and end systems, let alone IoT devices that might be connected and disconnected every day.

Another issue is the requirement of installing anti-malware software on all devices connected to the network. Considering that IoT devices don’t run on the ubiquitous Windows operating system, meeting this requirement is quite tricky. Finally, when it comes to identity access management, IoT devices are delivered with a single user account or hard-coded credentials, accessed locally on a wireless network or through Bluetooth for configurations. Compliance requirements for access will focus on individual user access and hardened passwords. Many IoT devices are not capable or designed to handle that type of granular control, thus making network access by external threats a more significant risk.

Actions to Take Now

With the increase in use of IoT devices, there are recommended tasks and configurations to help reduce the risk of an IoT compromise. Initially, developers should ensure products aren’t shipped with default passwords and that users are prompted to change default configurations upon first use. This capability will help the users avoid an attack based on publicly known information or open source intelligence (OSINT) that provides an easy way for attackers to gain access.

Within the organization, where the IT or information security departments need to protect and secure the network, the concept of compartmentalization or isolated networks can significantly reduce not only the IoT device’s access to the network, but also its exposure to the outside world. Isolating devices behind a firewall and restricting the access to the necessary ports and services limits exposure by limiting communication to only what is essential.

Maintain a dedicated inventory of all IoT devices connected to the network and maintain the catalog to stay abreast of updates for the devices, and apply them as early as possible to minimize the impact on availability and additional exposure to the environment.

Risk Management Tools for IoT Devices

Several tools are available to mitigate and manage risk for IoT devices. Essentially, all organizations want to be utilizing policies, processes and documentation for all of the IoT devices. There should be a governance, risk and compliance (GRC) program to support the needs of compliance, risk mitigation and a repository for those policies and procedures within any organization. Within organizations, a spreadsheet provides a way to track the policies and links for policy and procedure documentation. Utilizing a GRC application will help free up resources and increase productivity. The GRC application functionality is to track policies, procedures, evidence and other documentation in alignment with the compliance requirements of one set and multiple sets of standards, thus eliminating the need for duplicate work.

The IT departments will always need to wrangle those lion cubs. Still, if an organization can provide the proper tools, resources and funding, it can support a more robust compliance culture. These actions can significantly reduce the risk of exploitation and potential violations, leading to loss of reputation and one of the most important things to a profitable organization: loss of revenue.


Tags: Cyber RiskData BreachInternet of Things (IoT)
Previous Post

Placing Integrity at the Heart of Business Strategy

Next Post

FCPA Resources Guide, Second Edition: The 2020 Changes and Additions to Hallmarks

James McQuiggan

James McQuiggan

James McQuiggan is a Security Awareness Advocate for KnowBe4. Prior to joining KnowBe4, James worked for Siemens for 18 years, where he was responsible for various roles over that time. James was the Product & Solution Security Officer at Siemens Gamesa Renewable Energy. There, he consulted and supported various corporate divisions on cybersecurity standards, information security awareness and securing product networks. In addition to his work at Siemens, James is also a part-time faculty professor at Valencia College in the Engineering, Computer Programming & Technology Division.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

Next Post
handing over a secret envelope

FCPA Resources Guide, Second Edition: The 2020 Changes and Additions to Hallmarks

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT