ISMS as a Solution to the Internet of Things

The Internet of Things (IoT) landscape has brought forth an array of issues. Problems vary so much that it is hard to maintain focus on just one. With issues ranging from transparency principles to shifting global regulations, there are many opportunities for those looking for tough challenges. In a climate which seems at its surface to be a wild west, how does a business developing IoT devices navigate this landscape? An ISMS with comprehensive risk management is the best way to secure your Internet of Things (IoT) devices in an evolving climate.

The technology industry is quickly coming to on an age where technology is setting the pace and industry is struggling to keep up. The DDoS attack on some of our strongest virtual players in October 2016[1] was the first the internet has seen of its type. There is great reason to believe that we are just beginning to witness the vulnerabilities of the vastly unprotected network that is the Internet of Things. Research and Advisory Firm Gartner, Inc. stated in a press release that the IoT devices connected every day will increase to over 26 billion (that’s right — billion) units by the year 2020, resulting in “revenue exceeding $300 billion.”[2] This growing number of devices represents a growth not only in revenue, but also a growth in attack surfaces. The increase in attack surfaces means the security of the data these devices collect is at higher risk unless the threat vectors can be prioritized and controlled. Efficient and meaningful risk assessments that prioritize risk areas and threat vectors are important to securing these IoT devices and maintaining that security over time.

Another way to increase security would be to reduce the amount of data collected in the first place. The trend seems to be that devices are continuing to collect more data instead of less, but companies can prioritize the data to be collected so there is less information collected per person as well as per device, and thus leading to less data collection than would be the case otherwise. The less data available, the less data available to lose. According to the Ponemon Institute 2016 Global Analysis on data breaches[3]:

“The more records lost, the higher the cost of the data breach. In this year’s study of 383 organizations, the cost ranged from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 lost or stolen records.”

Data minimization is important for business risk minimization, but alas, business must continue. To eliminate data collection would be to eliminate risk, but then there would be no problem to solve. How else can data management provide security? We can begin by asking a few very simple questions: What data is each IoT device collecting? Is this data assigned a priority or classification? Is any data being collected considered Personally Identifiable Information (PII)? Is any data being collected considered Personal Health Information (PHI)? How is priority or classification of data from different Internet of Things devices distinguished? The answers to these questions, when asked in context of risk assessments, can help to prioritize the data being collected and ensure that important decisions about data storage, transfer, encryption, and access are informed and beneficial to the greater security of the data.

If risk areas and data classifications need to be prioritized, then so do the possible solutions for security in IoT devices. According to the Ponemon Institute[4], “Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches.” These are just a few solutions often touted as holy grail of security. However, the proposed tenets of security seem close to infinite: Use complicated passwords. Lock your screens. Push your vendors to upgrade often. Push your vendors for contract reviews and certifications. Achieve your own certifications! Perform background checks — you’re only as strong as your weakest link. It doesn’t stop there — one need only do a simple Google search to find an endless supply of tools meant to keep you secure, but detached from a comprehensive solution. How does any organization accomplish all these proposed ideas? How do they push through the fog to see what’s important? As stated by the CSA[5], “not all the recommendations are necessary or even realistic.” Few organizations are talking about the great truth, which is that there is never 100% security. Prioritization is the only reasonable answer, and prioritization can only be achieved through a comprehensive ISMS and risk management strategy.

The future is connected intelligences.

The future is connected intelligences. Businesses collecting data need to understand that they are part of the data business, and security and privacy controls come with that. Awareness and prioritization of risk areas, prioritization of data, and prioritization of security controls are the key actions necessary for the security of Internet of Things devices. A comprehensive risk management strategy offered through an ISMS will prioritize the right solutions for your business. It will enable you to maintain security in the rapidly evolving technology environment.

[1] Nicky Woolf, “DDOS Attack that Disrupted Internet was largest of its kind in History, Experts Say,” https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet, (February 18, 2017).

[2] Janessa Rivera and Rob van der Meulen, “Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units by 2020,” http://www.gartner.com/newsroom/id/2636073, (February 19, 2017).

[3] Ponemon Institute LLC, 2016 Cost of Data Breach Study: Global Analysis, (June 2016), 3.

[4] Ponemon Institute LLC, 2016 Cost of Data Breach Study: Global Analysis, 2.

[5] Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing Version 3.0, (2011), 8.