Private equity firms searching for the next big thing are looking with excitement to the Internet of Things (IoT) and the Gartner forecast that 20.4 billion connected devices will be in use by 2020. IoT growth rates are astounding, but the risks and rewards for investors will come from how industry players deal with new security threats.
The proliferation of IoT devices means more equipment is vulnerable to a security breach than ever before. That’s everything from virtual voice assistants and washing machines in your home, to manufacturing robots and physical access controls (keys, fobs and motion detectors) at your workplace.
Many experts say the answer is to integrate physical and cyber security systems. “By managing security holistically, companies improve coordinated response and recovery,” said G. Mark Hardy, president of National Security Corporation, in an email response about the issue.
Despite these benefits, companies are coming up short. The experts I spoke with see little progress and misdirected resources, both in terms of business planning and consumer protections. Most organizations are reactive when it comes to cyber risk. At the same time, consumer product companies are skimping on security to reduce costs and enhance profits, while diverting everyone’s attention to convenience. It’s the kind of poor leadership that creates extraordinary risks for investors and others.
“Out of Business in Six Months”
“Because they secure sensitive, personal identifiable information, a company is a fiduciary of that information. That means they have a fiduciary responsibility to safeguard that information,” said Darren Guccione, CEO and co-founder of password manager Keeper Security, in an email. “Failure to do so, especially for a small to medium sized business can be catastrophic.”
Mr. Guccione says nearly 60% of all small businesses that experience a pervasive data breach are out of business in six months and that larger companies often experience brand damage, loss of customers and litigation costs.
An eerie example of consumer IoT issues occurred this year when Walmart, Amazon and eBay reportedly stopped carrying connected teddy bears from toy manufacturer CloudPets after two million recorded messages from parents and children were exposed to potential hackers.
Mr. Hardy, a high profile speaker and instructor on cyber security, explains that cost is the underlying issue: “As most devices use IP (internet protocol) for communications, it is unlikely that a proprietary standard will emerge. That suggests a ‘race to the bottom’ in manufacturing and marketing costs for most IoT technology in the absence of enforceable patents.”
Robert M. Lee, CEO and founder of Dragos, Inc., an industrial cyber security company, puts it plainly: “Many IoT vendors have completely sacrificed security to lower cost. Instead of building security in as we already know how to do, IoT vendors are compromising on it.”
An ‘Always Present,’ ‘Always On’ Mentality
While cost is the issue, a lack of corporate leadership and oversight is exacerbating the problem. Too many boards and their top management teams are delegating security to IT and other experts without sufficient oversight.
A 2017 survey of 600 organizations with more than 500 employees by IDC showed that 75% of firms didn’t have a managed incident response plan, even though more than half of organizations experienced 10 or more security incidents or alerts each week. The same survey found that only 35% of firms have an incident-response process that includes reporting any security breach to their board. In early December, the National Association of Corporate Directors (NACD) released a survey of 500 public company directors, with only 52% saying they understand cyber risks sufficiently to provide effective oversight.
The statistics are alarming because the impetus to join physical and cyber security has been around a long time. In healthcare, it dates back to 2005 and a security rule for the Healthcare Insurance Portability and Accountability Act (HIPAA) requiring physical, technical and administrative safeguards, according to Dave Newell, a former U.S. Air Force officer with the Pentagon’s 7th Communications Group and founder of Loptr, an information security company. For credit card merchants, Mr. Newell notes that the Payment Card Industry Data Security Standard (PCI DSS) defined physical security expectations for cardholder data as early as 2004.
“Even though the regulations had this direction, organizations generally had some person, maybe an ex-cop, who was responsible for physical security and another, in IT, responsible for the technological security,” Mr. Newell says. “A lot of organizations just didn’t connect the two.”
“We need to have an ‘always present,’ ‘always on’ mentality, but people don’t think about it until they encounter an event,” says Ted Schneider, chief technology officer of ARCOS LLC, a provider of resource management solutions for utilities, manufacturers and airlines.
In an IoT world, Mr. Schneider foresees the threat of someone putting together disparate data in a system that isn’t integrated, for example HR, payroll and financial systems. “On its own, it could be harmless,” he says. “But in such a scenario, compounded clean data suddenly becomes a cyber threat.”
A Contrarian View
Mr. Lee disagrees with the emphasis on combining physical and cyber security and says the real issue is companies confusing enterprise IT with industrial security and misdirecting their resources. While he believes companies should combine physical and cyber security data, they are separate threat models.
“There needs to be an awakening that almost every company is an industrial company,” he says, noting that organizations without three- to five-year board level industrial security strategies, risk everything from safety to intellectual property. “As we connect more and more with IoT, we’re opening up risks.”
Mr. Lee, a former cyber warfare operations officer with the U.S. Air Force (tasked to the NSA), points to the 2015/2016 cyber attacks in the Ukraine that shut down electric power for the first time in history as an example of industrial security planning. “Figure out the way those cyber attacks occurred to identify methods for preventing it from occurring with other facilities,” he says.