A Human Prescription to Internet of Things Security
Implementing an Internet of Things security strategy requires confronting cultural as well as technical challenges.
November 19, 2018
By Marcia Elaine Walker, SAS
While Internet of Things (IoT) technology is much talked about for its transformative business applications, especially in manufacturing, the ominous threat of cybersecurity causes some to skeptically view such a broad network of devices, sensors, software and connectivity. A stream of news reports detailing massive data breaches validates the danger inherent to IoT challenges.
With estimates that connected devices could reach 20 billion to 30 billion by 2020, up from 10 billion to 15 billion devices in 2015, according to McKinsey and Co., the risk will surely grow. In my IoT conversations with enterprise IT leaders, the number one concern they express is security.
But digitally-driven organizations can take valuable steps to maintain data integrity from a source through any point of analysis and decision support, both central and local, to enhance confidence that data assets are secure. Surprisingly, though, the most important steps in addressing Internet of Things security might have less to do with technology and more to do with corporate culture and employee behaviors.
So, what are some of the most important Internet of Things security measures a manufacturer can implement immediately to help keep data and networks more secure? Let’s look at the most important ones.
Assess culture. The most vital step and one that requires little or no incremental cost is an honest cultural assessment. Ask open questions, perhaps using a tool that allows for anonymity, about the practices that drive users crazy and motivate them to create the dreaded “shadow IT.”
For example, if it takes four weeks for the IT department to generate a customer report for the shipping department, the shipping team may maintain their own copy of customer data on a cloud storage site. Anyone on the shipping team can now download the customer data file to their laptops to get their weekly staff reports done in time for the staff meetings. But consider the risk to your organization if one of those laptops is lost or stolen.
Honest metrics. Similarly, take a hard look at organizational metrics, and ask what kind of behaviors they drive that could be counterproductive to security. If maintenance engineers are on call and investigate every alarm, regardless of severity – even if it happens at 2 a.m. – they might very well be motivated to install a 4G-enabled video camera to keep an eye on the facility from home. This seemingly harmless hack would allow them to “check things out” without driving across town in the middle of the night.
However, those sleep-deprived engineers might not inform IT about this workaround. A 4G hotspot—or the camera itself—might be installed in a way that unfortunately provides hackers an entry point to the rest of your organization. Look at your organization holistically and remember the human element.
Shadow IT. The best fix for shadow IT actions is an “amnesty period” allowing users to come forward and declare their unauthorized technology with no negative consequences. Their problems can then be addressed in a manner consistent with the company’s security strategy. Once this is completed and strong security implemented, it can also help to hire a “white hat” hacker organization to try to penetrate network defenses. An ethical hacker will think in ways that an insider won’t. Too often the weak points found will have more to do with human factors than the technology itself.
Ongoing cybersecurity. For the longer term, it is essential for an organization to understand that cybersecurity is an ongoing process – not a once-and-done exercise. Users tend to become complacent over time, so periodic spot checks are essential, as are regular formal security audits.
With or without budget constraints, effective cybersecurity training for everyone in the organization is essential, as is establishing a culture that values IT security. Believe it or not, some staffers still aren’t aware of the danger of clicking on a link received by email.
Furthermore, corporate leaders must demonstrate through their own behavior that it is normal and expected to question things. For example, model how to politely yet effectively question strangers in the hallways as to the purpose of their visit and who their employee contact is – then walk them over to that employee. Start each meeting with a security reminder to keep it top of mind just as manufacturing companies have done for many years around physical safety.
While it is true that the above security measures are valid for all technology deployments – not just IoT – it is even more true for an IoT-enabled enterprise because of the breadth of its reach. The human and cultural elements can make or break your IoT security strategy.
Marcia Elaine Walker is the Principal Industry Consultant for Manufacturing at SAS. Follow her on LinkedIn or @MWEnergy on Twitter. Follow SAS news @SASsoftware on Twitter.
You May Also Like