The world of internet-connected devices is opening up new possibilities for organizations to interact with sensors and gather data. However, it’s also expanding the attack surface for threat actors, say IT leaders in a new podcast.
The risks can include the lack of protection around IoT devices, the way devices communicate with each other or the way devices connect to networks.
For IT leaders in the private and public sectors, the driving concern is how to assess and manage those risks as agencies converge IoT with traditional IT environments, says Sean Peasley, partner at Deloitte Risk & Financial Advisory for Deloitte.
That convergence is becoming increasing commonplace, for example, as smart cities incorporate sensors and devices to communicate with the infrastructure there, says Peasley. In order to take advantage of developments like these, it is important to improve the way organization leaders understand cyber risk and what their risk tolerance should be.
IoT devices also bring new challenges for chief information security officers, says Tim Li, principal at Deloitte Risk & Financial Advisory and Deloitte’s Cyber Risk Services. Li shares steps enterprise leaders can take to expand current risk assessments around IoT in this “Cyber Everywhere” podcast series, produced by CyberScoop and underwritten by Deloitte:
What CISOs should consider for their cyber risk portfolio
As the number and diversity of IoT devices increase, so do their own respective threats and vulnerabilities, Li says.
“A lot of these systems are what you call a cyber physical system. They’re engineered for much longer lifespans than your traditional IT systems. And that is actually very much incongruent with the changing cyberthreat landscape. When you have system complexity, limited allowable downtime, these are systems that may be more difficult to patch and update,” Li shares.
Minimizing security and privacy concerns
IoT environments and devices typically have lifespan that can span over 10 years and device manufacturers may not have embedded security capabilities when those devices weren’t necessarily connected to the internet or to networks, Peasley says.
IT leaders “need to think about first having a cybersecurity program around these operational environments or these IoT environments. And that starts with things like performing cyber risk assessments to understand the threat risk in the environment,” he says.
By understanding risk, they can take the appropriate action based on both the stated risks and the requirements for the industry, he adds.
How to integrate IoT devices and systems into the enterprise cyber risk assessment
“Organizations [should take steps] to help ensure that they understand their risk, what their risk tolerance should be — or they are willing to accept — as well as how do they actively help to improve the risk management over those IoT environments,” Peasley says.
Li adds that “having the right lens as you look at risks is going to be really important.” Li suggests several questions to consider as you bridge IT and IoT include:
- What does the supply chain look like?
- What does the operating ecosystem look like?
- Looking collectively across the entire inventory of devices, what do they all do?
- What are the things that you can do to drive security during design?
Additionally, Li suggests utilizing recent National Institute of Standards and Technology (NIST) guidelines that would help leaders understand both how to manage IoT cybersecurity and privacy risks, as well as what recommendations IoT device manufacturers should be following.
Sean Peasley has worked for the past three decades with on cybersecurity challenges in both enterprise and Internet of things environments, including cyber threat intelligence, wargaming, identity and access management, IoT systems and a host of other areas.
Tim Li specializes in cyber risk management and strategy for federal and state government and higher education. He has spent more than 20 years helping organizations with cyber strategy, data protection, cloud security and risk management.
Listen to the podcast for the full conversation on IoT Connected Communities. You can hear more coverage of “Cyber Everywhere” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by CyberScoop and underwritten by Deloitte. Deloitte is formally known as Deloitte & Touche LLP, a subsidiary of Deloitte LLP. For more details, see www.deloitte.com/us/about.