Recent news reports suggest that intelligent devices -- those that connect to the internet and communicate with other devices -- could spy on people and be susceptible to other unsavory activities. For example, cars of today, with their built-in intelligence and network connectivity, could be remotely controlled.
This brings us to the internet of things (IoT), which touches just about anything that has embedded intelligence and communications capabilities. This article examines how such developments may impact your organization, why you need an IoT risk management strategy, and how you can adjust your business continuity (BC) and disaster recovery (DR) planning to respond to these issues.
A risk assessment (RA) identifies potential threats and vulnerabilities, while a business impact analysis (BIA) identifies their potential operational, financial, competitive and reputational impact to the organization.
From a technology perspective, a common risk is the loss of internet access. Most organizations today depend so much on internet access that its loss, even for a short period of time, could be disastrous. An RA may further uncover vulnerabilities in the way internet access is engineered. For example, having only one internet service provider (ISP) is a major single point of failure. But that problem can be fixed easily by using two ISPs with different facility routing.
What to include in IoT risk assessments
If you move beyond basic internet access to IoT risk management, your approach must change. From an RA perspective, you must expand your field of vision to identify additional risks, threats and vulnerabilities that might otherwise be ignored. A best practice would be to conduct an IoT risk assessment.
In an IoT assessment, you should look at everything that connects to the internet; for example, office devices such as desktop systems, laptops, printers, scanners, copiers and fax machines. You would also include all networked devices in the data center, whether they are located on site, are collocated or are in a cloud. External organizations with whom you connect -- such as key clients and vendors, and social media -- must also be examined.
Next, you should add items such as closed-circuit television security systems, physical access control systems (such as proximity card access), HVAC systems, fire detection and suppression systems, building lighting systems, backup power systems (such as uninterruptable power supplies and external diesel generators), vending machines, microwave ovens, coffee makers, smartphones, notepads, digital cameras, internal television systems, video conferencing systems and even office building garage door openers.
Once these items are factored into an IoT risk management assessment, you can begin to identify additional potential vulnerabilities where internal and external agents can exploit your organization's systems and technology.
The process of connecting the dots may be useful to identify hidden relationships among internal and external systems and individuals. Once potentially disruptive relationships are uncovered, the next step is to identify ways to prevent them from happening, and to mitigate their severity if they occur.
Stop IoT threats before they start
Work with experienced third parties, such as law enforcement agencies, local and state offices of emergency management, and forensic experts who are trained in IoT risk management and can recommend remedies.
Once IoT threats have been identified, use the BIA process to identify what might happen to the organization if an IoT-based disruption occurred. One potential impact of such an event might be damage to the firm's reputation due to critical systems functioning improperly. For example, an external agent could remotely manipulate critical system control data before it arrives at a customer location, resulting in system malfunctions and disruption to the customer's business.
The potential impacts to your organization could be significant if someone or some organization is able to take over your firm's operations using the internet. These events are happening more often, but it's possible to protect against them with the proper IoT risk management plan.
Ensure your network perimeter protection is up to date and continually being enhanced. This includes firewalls; intrusion detection and prevention systems; enhanced network monitoring technology; and antivirus, antispam and antiphishing software. Ensure your data is encrypted both at rest and in transit. Replicate critical systems, virtual machines and data regularly, so you can recreate your original environment. Take a close look at your employees and consider who might be capable of using IoT to disrupt the company.
And if something does happen that can't be immediately explained, your updated BC plan will explain the steps to take to notify employees, key stakeholders, law enforcement, government agencies and others of the incident (assuming communications devices are not compromised). That may be the most important BC action you can take when dealing with an unknown threat.
Enterprise guide to getting started with IoT
Perform a risk analysis to learn where to focus DR resources
Webcast: Problems with internet of things security