Internet of Things: Security, Compliance, Risks and Opportunities
The Internet of Things (IoT) is pushing an information-driven shift to connected devices in the enterprise world at large.
Enterprises are vying to put more and more of their devices on the connected grid so that bigger amounts of data can be harnessed. These can be used to curate a better consumer and market understanding, as well as improve supply chains and business processes.
With more data available, businesses can make unprecedentedly better-informed decisions, evaluate the performance of their products in an all-new light, and look at things with more refined perspectives.
The trend is taking place across the board, in all sectors. A Gartner report estimates that by 2019, the enterprise market will be using 23.3 billion connected devices. But reliance on connected devices brings a boatload of risks to businesses, especially with the huge amounts of consumer data and proprietary information that may be involved.
A major downside of this trend is that with such huge data networks to manage, every industry also has to face a large set of compliance standards that it must consider when using connected devices. The lack of compliance has two-pronged consequences: the organization responsible may have to pay huge damages and fines in the case of a data breach, and its reputation with the consumers may take a nosedive.
Security Standards and Major Breaches
Healthcare businesses are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which requires healthcare vendors to ensure the compliance of every single connected medical device and to ensure that the privacy of user data is not compromised in any case.
Under the recent HITECH Act, which is a part of HIPAA, healthcare entities are liable to not just regulatory fines but civil and criminal prosecution over neglect of user data. However, there are obvious loopholes in the strategy of healthcare entities. In 2013, 44% of all data breaches were targeted at medical companies.
With the rapid increase in the use of connected devices, the risk points for the healthcare sector are only going to increase because of inadequate compliance with the standards.
Related Article: How Health and Big Data Are Working Together to Save Lives
Credit Card Processors
Credit card processors, mostly retailers, are regulated by the Payment Card Industry Data Security Standard (PCI DSS), which requires businesses to protect cardholder data, encrypt it securely during transmission and minimize physical or digital access to data except only when absolutely needed for business.
Credit card processors have been one of the primary targets of cyber-attacks in the past few years. The theft of 40 million credit and debit cards from Target’s point-of-sale terminals in 2014 is a recent example. With more connected devices in the loop, the points of vulnerability also increase correspondingly, and non-compliance leaves the door open for data breaches and the consequent financial losses.
Financial entities such as banks have been reluctant in ensuring compliance with Securities and Exchange Commission (SEC) standards. Consequently, one after another data breaches keep hitting the banking sector.
Cyber-security non-compliance in the finance sector has led to more than 900 million records breached in 2014 alone. With more and more enterprise connected devices being incorporated into the banking sector, a disaster is imminent if compliance with standards is not rapidly improved in the coming days.
What Needs to Be Done
IoT can be complex environment. Understanding the risks, opportunities and challenges in IoT is the first critical step towards an effective and secure implementation.
Experts cite different “surfaces” of an IoT system. In simpler words, this can be used to mean different faces or different layers, and each of them carries its own risks and vulnerabilities. Most data breaches occur when organizations plug the gaps in one surface but ignore the rest. With more and more connected devices attached to it, every surface of an IoT became a critically important security consideration.
Any enterprise looking to implement or secure its IoT solution must identify all the surfaces. An effective way of doing this is to use the OWASP project as an open-source guide. The project identifies insecure web interfaces and network services, insecure cloud and mobile interfaces, poor encryption and a range of other vulnerabilities that typically afflict an IoT solution.
Related Article: The Office of the Future is Closer Than You Think
Steps to Take
Contingency Plan: Compliance with standards and implementing industry recommendations will plug an IoT system for the most part. However, there is always the possibility of vulnerability and it is the job of an enterprise to foresee this possibility. Countermeasures must be in place before a breach occurs. Typically, an enterprise contingency plan makes use of cloud-based disaster recovery solution as a cost-effective means to ensure business continuity.
Cloud-Based Disaster Recovery: Cloud-based disaster recovery foresees the possibility of enterprise data breach taking place or any other failures in the main system. In the event of such an incident, the company can redirect its users to the copies of enterprise data stored in a secure cloud environment.
Business Continuity Platform (BCP): BCPs essentially ensure that if the main site or interface of a business comes under attack or suffers failure for some other reason, it doesn’t affect the way users access the interface. Rather, backup servers gear into action and the user experience remains seamless.
Encryption: Encryption has become an ubiquitous and effective part of digital security. This should involve both data in motion and at rest: from authenticating user details to collecting sensitive information, and from storing user data to transferring it to remote, backup servers. With data everywhere, an enterprise needs to ensure that only the most secure and industry-tested encryption methodologies are used in order to maintain the security and privacy of user data.
Data Sovereignty: One of the major points of negligence in the handling of enterprise data is data sovereignty. A number of countries and regulatory authorities usually require that data gathered from users within a certain region must not be stored anywhere outside that region or country. Negligence usually results in heavy fines and penalties.
Database Integrity: When storing data, it is critically important for an organization to not only ensure the accuracy of the data but to have policies in place governing the lifecycle of this data.
- How long can the company retain the user data?
- Do any limitations defined in the compliance standard apply to the period of storage?
- Do the laws of a country prohibit data storage for extended periods?
- What can be done to the data at the end of storage period?
These are all pertinent questions for any company dealing with connected devices and enterprise data.
Most industry standards applicable to IoT deal with data privacy and information security. To that end, modifications in HIPAA and recent developments such as Article 29 of Working Party are important regulatory frameworks.
Any enterprise entities looking to augment data using connected devices will need to keep a close eye on the regulatory standards. Most enterprise IoT implementations today face pertinent issues such as insufficient control over collected data, ambiguous user content in using this data and the consequent risks in handling this data.
At all points, the data is vulnerable to external attacks and breaches.
For organizations looking to pull off successful IoT implementations without having to face frequent breaches or regulatory fines, the way is clear but hard. They need to enforce data policies and regimes that minimize exposure to threats.
They have to explicitly seek user content in gathering and utilizing this data. And they must ensure security measures which can guard the data at every step, taking guidance from projects like OWASP. Finally, backup plans in case of unforeseen failures must always be in place.
Investing in a standard-compliant, fully secure and ethically fair regime when gathering data from connected devices can be an expensive undertaking for an enterprise. But compared to the number of litigation hazards and regulatory fines that can hit an organization in the case of a major failure, a timely investment in this direction is well worth it.
Not to mention the financial losses which a company may face when witnessing a system failure due to poor data security.