According to Gartner, this year will see the number of “things” connected to the internet rise to 6.4 billion, up 30% from 2015. By 2020, Juniper Research predicts 38 billion devices will be connected while global tech giant Cisco predicts 50 billion.
This exploding growth isn’t the only thing that’s astonishing, it’s the variety of devices too. From laptops and mobile phones to baby monitors, gardens, cars and cows – they’ve all been connected and quietly gathering data.
Humans too. Hannes Sjoblad, chief disruption officer at Epicenter in Stockholm, has had a microchip implanted under his skin. The near-field communication chip lets him swipe into his office, set the alarm, register loyalty points at nearby retailers and access the gym.
Opportunity and risks
Deeper and wider knowledge can give businesses large and small the chance to identify operational efficiencies as well as sales and service opportunities.
For example, if a supplier knows a retailer’s stocks are running low – because the “smart shelf” inventory tags in the supplies in the retailer’s store are reporting their status to the supplier’s systems directly – those supplies can be automatically refreshed without the need for the retailer to remember to place a new order.
But while the influx of data from each connected device could help build a bigger and better picture of a business, it doesn’t come without risk.
Networks with a wide range of integrated but differing devices can vastly increase the complexity of managing information security. Device compatibility plus data integration and privacy are just three of the immediate risks that spring to mind.
Gartner also predicted that by 2017 half of employers would require employees to bring their own devices to work, or use them to work from other locations. But each device accessing a company’s network can increase the amount of time and resource required to identify, manage and mitigate the associated security risks.
As Tony Anscombe, senior security evangelist for AVG Business, a global provider of security solutions, explains, “Cybercriminals are constantly probing hardware and looking for flaws in software to exploit. They’re scanning the airwaves and harvesting passwords and other personal identity data from wherever they can.
“My advice is simple: every connected device, be it company-owned or an employee’s personal device being used for work, needs to be included in your business-wide security plan. If you’re aware of it, you can mitigate the associated risks.”
Anscombe continues, “Employees using their personal smartphones to access company data, might also be using them to control a growing variety of other devices in their working environment. Once given access to company WiFi, employees might be using their own mobile to set the office temperature or turn on the lights.
“This might be convenient, but these other devices also have the potential to give up the office WiFi password. If a hacker gains access to a personal device, they might be able to use it to gain access to business systems or devices.”
The Internet of Things is an evolving phenomenon. There isn’t a universal approach to software or infrastructure development, or on data or device standards and security.
Many of the companies developing products and services for it are competing with each other. Organisations like the Online Trust Alliance and its very high-profile members are however on a “mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet”.
It can be hard to define and mitigate risks when the landscape is unclear or rapidly evolving. However, in spite of this unstable environment, there are some key questions that any business can use to help reach a decision about whether or not to connect a particular device.
1. How will this device affect the business’s security perimeter? Will it open up a new “attack vector” (point of entry) for a hacker to exploit?
2. How will this device be kept up to date with the latest software and security patches – and will it need to be physically secure?
3. How will this device capture, process and share data – has that process been mapped out and security weaknesses mitigated?
4. How will this device communicate and integrate with other devices or systems inside and outside the network – e.g. via a router or Wi-Fi hotspot – and if so, is the appropriate level of “gateway” security in place?
6. Will this device follow the “law of least data”? If data is being shared via or stored in the cloud, is this strictly necessary?
7. Is the device built and supported by an established and well-supported brand or “rookie” entrant to the market?
8. Who will be using this device and data, and how might their identity or access privileges be used to gain illegitimate access?
9. Review GCHQ’s Ten Steps to Cyber Security and revise your security accordingly
10. If a new device is going to be connected, a strong password is critical alongside two or even three-factor authentication
As ever, having the right questions to hand is only one part of managing risk effectively. Knowing what to do with the answers is the other part.
These questions won’t last forever either. They’ll need to evolve as technology, culture and behaviour evolves. New risks and opportunities will emerge for businesses to consider for which new questions and answers will need to be asked and found.