Machine-to-machine (M2M) communications are on the rise. From tracking room temperatures to monitoring equipment battery levels, these connected devices already have a solid foothold in today's corporate networks and together they contribute to the Internet of Things (IoT). And the number of machines being added to the IoT is increasing rapidly. Research and analyst firm Gartner says the number of connected devices they expect to see in use in 2015 is 4.9 billion. By 2020, that figure is estimated to rise to 25 billion "things." It's an evolution CUs must be ready to manage.
While there are many benefits to organizations leveraging IoT technology — reduced energy consumption, more effective use of resources, etc. — there are also a number of risk areas CUs should be aware of as their IoT initiatives ramp up. Security is one of the most pressing concerns, with the risks falling into two primary buckets.
One primary worry revolves around the protection of data flowing through the enterprise. There's the potential that some of the information could be highly sensitive. Systems used in facilities management may transmit information about occupancy schedules or equipment locations, offering a blueprint for breaking into sensitive areas of a facility.
Employees and members may also have personal data traveling across the network while in a branch. Those with an implanted medical device that communicates patient status (heart rate) or device status (battery level), for example, may be part of the IoT. Some of that information is extremely sensitive, and though it isn't part of a CU's normal operations, it's still expected to be private and secure.
The Flip Side: Network Security
The flip side of the security coin relates to the security of the network itself. As the Target hack showed, once an intruder has gained access to the network — even if it's through an otherwise innocuous system — they're likely to have a far easier time finding the higher-value data they actually want.
Privacy risks are also increasing as the IoT becomes more widespread. All manner of habits, preferences, routines, physical conditions, locations, and other data may be culled from connected devices or the networks supporting them, potentially providing far greater detail into private or protected activities than has been available in the past.
CUs can prepare some steps now that will help to keep evolving privacy and security concerns under control.
Personal privacy issues are real and must be addressed. WiFi-enabled smart phones and Bluetooth-enabled wearable health monitors are just a few of the increasingly ubiquitous consumer devices that may be connecting through the CU networks and openly transmitting access credentials, health information or other personal data. CUs need to recognize that Internet-enabled devices used by employees or the Web-enabled refrigerator in the breakroom all pose risks.
CUs Must Take Action
As M2M communications increase, CUs must expand existing policies and procedures to address new types of risk. Organizations must be diligent about monitoring connected devices throughout their lifecycle and ensuring vulnerabilities are patched quickly, even if the device is formally managed by a group other than IT. In addition, employees and any contractors with access to either the network or the machines connected to it should receive regular training to ensure IoT security best practices are understood and used.
Though most CUs already have well-developed security practices for privacy and data protection, it makes sense to expand the methodologies to compensate for the security posture of the typical "thing." While smartphones and tablets include security features, most devices connecting through the IoT weren't originally designed to support much (if any) security technology. These devices may not have operating systems capable of launching antivirus software, or be programmed to establish the sort of secure handshake firewalls expect to see. The security of new "things" should be reviewed during the evaluation and implementation phases, so accommodations and additional protective measures can be considered and instituted.
Vendors contracted by the CU to provide, install or monitor connected devices must also maintain their own appropriate levels of security. CUs will want to implement ongoing oversight to ensure these external partners maintain appropriate security postures themselves. This approach enables CUs to remain in compliance with applicable regulations even as their technology profile evolves.
Whether we like it or not, we need to expect that every device that we currently accept as 'dumb' (meaning not Web-connected) will be connected in the future. In the coming years our cars, thermostats, wristwatches, glasses, refrigerators, microwave ovens, and even pacemakers will all be able to communicate and provide information wirelessly via the internet. Considering this issue now, rather than in five years, is the key to coping with the new risks that emerge in this area.
Eduard Goodman is chief privacy officer for IDT911.