The Internet of Things (IoT) allows businesses to connect everything from the office printer to factory production lines via Wi-fi, making it an ideal tool for organizations to exploit, and for employees to use effectively. And there appears to be no limit to what IoT technology is capable of delivering.
Because of how simple it is to install and use the associated software and applications on people’s smartphones and tablets, technology heavyweights like Cisco Systems and IT analysts such as Juniper Research estimate that the number of connected IoT devices will reach 50 billion worldwide in 2020. According to research by Forrester, businesses will lead the surge in IoT adoption this year, with 85% of large companies implementing IoT or planning deployments.
But such connectivity comes at a price. As IoT usage increases, so too do the associated risks. Simple devices rely on simple security, and simple protocols can be simply ignored.
A common problem is employees simply adding devices to the network, without informing the IT department — or without the IT team noticing. For example, Raef Meeuwisse, a UK-based cybersecurity consultant and information systems auditor, says that one security technology company revealed that when installing network security detection in new customer networks, it found that up to 40% of devices logged on to the network were IoT. “That was a surprise to those organizations’ executives and their IT departments,” he says.
Such anecdotes mean internal audit has a real job at hand to ensure that IoT deployments go smoothly and that the associated benefits are delivered. And the task is fraught with danger: The technology is still evolving, new risks are emerging, and controls to mitigate these risks often seem to be a step behind what is actually happening in the workplace.
Information experts and standards-setters such as ISACA point out that because IoT has no universally accepted definition, there aren’t any universally accepted standards for quality, safety, or durability, nor any universally accepted audit or assurance programs. Indeed, IoT comes with warning notices writ large. According to ISACA’s State of Cybersecurity 2019 report, only one-third of respondents are highly confident in their cybersecurity team’s ability to detect and respond to current cyberthreats, including IoT usage — a worrying statistic given the proliferation of IoT devices. Industry experts and hackers have demonstrated how easy it is to target IoT-enabled office security surveillance systems and turn them into spy cameras to access passwords and confidential and sensitive information on employees’ computer screens (see “Targeting the IoT Within” below for examples of other IoT vulnerabilities).
Distributed denial of service attacks (DDoS) on IoT devices — which analysts and IT experts deem the most likely type of threat — are the best example of IoT device security and governance flaws. In 2016, the Mirai cyberattack on servers at Dyn, a company that controls much of the internet’s domain-name infrastructure, temporarily stalled several high-profile websites and online services, including CNN, Netflix, Reddit, and Twitter. Unique in that case was that the outages were caused by a DDoS attack largely made up of multiple, small IoT devices such as TVs and home entertainment consoles, rather than via computers infected with malware. These devices shared a common vulnerability: They each had a built-in username and password that could be used to install the malware and re-task it for other purposes. The attack was the most powerful of its type and involved hundreds of thousands of hijacked devices.
“As is often the case with new innovations, the use of IoT technology has moved more quickly than the mechanisms available to safeguard devices and their users,” says Amit Sinha, executive vice president of engineering and cloud operations at cloud security firm Zscaler in San Jose, Calif. “Enterprises need to take steps to safeguard these devices from malware attacks and other outside threats.”
Begin With Security
Events like the Mirai attack make security a priority for internal auditors to review. Among the top IoT security concerns that experts identify are weak default and password credentials, failure to install readily available security patches, loss of devices, and failure to delete data before using a new or replacement device. The steps to rectify such problems are relatively simple, but they are “usually ignored or forgotten about,” says Colin Robbins, managing security consultant at Nottingham, U.K.-based cybersecurity specialist Nexor.
As a starter, he says, internal auditors should check that the business has a process to ensure that all IoT device passwords are unique and cannot be reset to any universal factory default value to minimize the risk of hacking. The organization should update software and vulnerability patches regularly, and devices that cannot be updated — because of age, model, or operating system — should be isolated once personal and work data has been removed from them.
“Organizations need to have conversations at the highest level of management about what IoT means to the business,” says Deral Heiland, IoT research lead at Boston-based cybersecurity firm Rapid7. Once they have done this, Heiland suggests they focus on detailed processes around security and ask key questions such as: What IoT has the organization currently deployed? Who owns it? How does the organization manage patches for these technologies, and how does it monitor for intrusions? What processes does the organization need for deploying new technologies?
Technical Hygiene Standards Effective IoT security requires organ-izations to develop their own protocols and security specifications up front, Meeuwisse says. This ensures that “devices can either be integrated into particular security zones or quarantined and excluded from the possibility of getting close to anything of potential value,” he explains.
Targeting the IoT Within
In January 2017, the U.S. Food and Drug Administration issued a statement warning that certain kinds of implantable cardiac devices, such as pacemakers and defibrillators, could be accessed by malicious hackers. Designed to send patient information to physicians working remotely, the devices connect wirelessly to a hub in the patient’s home, which in turn connects to the internet over standard landline or wireless connections. Unfortunately, technicians found that certain transmitters in the hub device were open to intrusions and exploits. In a worst-case scenario, hackers could manipulate the virtual controls and trigger incorrect shocks and pulses, or even just deplete the device’s battery. Manufacturers quickly developed and deployed a software patch.
The case demonstrates the need for internal audit to check that Wi-fi networks are secure, that default factory settings on any connected devices are not used, and that the organization, through the IT department, has patch management processes in place to check whether any devices have security updates that need to be installed.
Meeuwisse adds that whether a business is manufacturing or simply installing IoT devices, having security architecture standards to ensure information security throughout the organization is aligned with business goals is a crucial first step. “Buying or designing technology before having a clear understanding of the security specification required is a dangerous path,” he says. “For any new type of IoT device, there should always be a risk assessment process in place to understand whether the device meets security requirements, needs more intensive scrutiny, or poses a significant potential risk.”
More widely, organizations need to examine “the basics” to ensure that they maintain their IT system’s “technical hygiene,” says Corbin Del Carlo, director, internal audit IT and infrastructure at financial services firm Discover Financial Services in Riverwoods, Ill. For example, Wi-fi access should be closed so only authorized and certified devices can use it, and there should be an inventory of devices that are connected to the network so the IT department knows who is using them. For additional security, IT should scan the network routinely — even daily — to check whether new devices have been added to the network and whether they have been approved.
Del Carlo also says internal auditors need to check that the organization’s IT architecture can support a potentially massive scale-up of devices wanting to access its systems and network quickly. “We’re talking about millions more devices all coming online within a year or two,” he says. “Can your IT system cope with that kind of increase in demand? What assurance do you have that the system won’t fail?”
Del Carlo recommends organizations draw up a shortlist of device manufacturers that are deemed secure enough and compatible with their IT architecture. “If you allow devices from any manufacturer to access the network, then you need the in-house capability to monitor the security of potentially hundreds of different makes and find security patches for them all, which can be very time-consuming,” he points out.
A list of approved manufacturers also can make it easier to audit whether the devices have the latest versions of security downloads. “Even if a particular manufacturer’s product proves to have vulnerabilities, it is much easier to fix the problem for all those devices than try to constantly monitor whether there are security updates for many different products made by dozens of manufacturers,” he says.
It’s not only the organization’s security that internal auditors should consider. Auditors also should make management aware of potential privacy issues that some applications may present — especially those that feature GPS tracking, cameras, and voice recorders. “Tracking where employees are can be useful for delivery drivers, but is it necessary to track employees who are office-based?” Del Carlo asks.
An example is an IoT app that monitors how much time people spend at their desks and prompts them to take a break if they are there too long. Organizations could use that technology to monitor how frequently people are not at their desks, Del Carlo notes. “While this may catch out those who take extended lunch breaks, it may also highlight those who have to take frequent trips to the bathroom for medical conditions that they may wish to keep private,” he explains. “As a result, auditors should query such device usage.”
Yet while there is a vital need to make IoT security a priority, Robbins says organizations should not overlook whether management has appropriately scoped the business case for an IoT deployment, and how success or failure can be judged. “As with any other project, particularly around IT, managers can throw money at something they do not understand just because they think they need it, or because everyone else is using it,” he says.
Robbins cautions that poorly implemented IoT solutions create new vulnerabilities for businesses. “With IoT, it’s not data that is at risk, but business processes at the heart of a company,” he points out. “If these processes fail, it could lead to a direct impact on cost or revenue.”
According to Robbins, the success of IoT means a heavy — and “almost blind” — reliance on the rest of the “things” that support the technology working effectively within the supply chain. Take for example an IoT device that monitors bakery products made in an oven. That device may tell the operator that the oven temperature is 200 degrees and the baked goods have another 20 minutes of cooking time, he explains.
“But the problem is that you have no physical way of checking, or even being alerted, that the technology might be wrong or has been hacked, and that the settings and readings are incorrect,” Robbins says. “Everyone is relying on all the different parts of the supply chain — the app vendor, the cloud provider, and so on — maintaining security in a world where there are no agreed-upon standards or best practice. Talk about ‘blind faith.’”
IoT also increases the need for additional third-party and vendor risk monitoring, Del Carlo warns. This is because app developers not only may be collecting data from users to help inform design improvements but also to generate sales leads.
“Internal auditors need to think about the data that these vendors might be getting and how they may be using it,” Del Carlo explains. For example, developers may be exploiting user data to approach the organization’s competitors with products tailored to the competitor’s needs. “Internal auditors need to check what data developers may be collecting and why,” he advises.
Early Best Practices
Despite the absence of universally agreed-upon guidance for aligning IoT usage with business needs, some industry bodies have tried to promote what they consider to be either basic steps or best practice. For instance, in a series of blog posts, ISACA recommends that organizations perform pre-audit planning when considering investing in IoT solutions. It advises organizations to think about how the devices will be used from a business perspective, what business processes will be supported, and what business value is expected to be generated. ISACA also suggests that internal auditors question whether the organization has evaluated all risk scenarios and compared them to anticipated business value.
Eric Lovell, practice director for internal audit technology solutions at PwC in Charlotte, N.C., says internal audit should have a strong role in ensuring that IoT risks are understood and controlled, and that the technology is aligned to help achieve the organization’s business strategy. “Internal audit should ask a lot of questions about how the organization uses IoT, and whether it has a clear strategic vision about how it can use the technology and leverage the benefits from it,” he says.
As IoT is part of the business strategy, Lovell says internal auditors need to assess the business case for it. “Internal auditors need to ask management about the business benefits it sees from using IoT, such as improving worker safety, better managing assets, or generating customer insights, and how these benefits are going to be measured and assessed to ensure that they have been realized,” he advises.
Questions to ask include: What metrics does the organization have in place to gauge success or failure? Are these metrics in line with industry best practice? Are there stage gates in place that would allow the organization to check progress at various points and make changes to the scope or needs of the project? “Equally importantly, does the organization have the right people with the necessary skills, experience, and expertise to check that the technology is delivering its stated aims and is being used securely?” Lovell notes.
Lovell also says internal auditors need a seat at the table from the beginning when the organization embarks on an IoT strategy. “Like with any other project, internal audit will have less influence and input if the function joins the discussion after the project has already been planned, scoped, and started,” he explains. “Internal auditors need to make sure that they are part of those early discussions to gauge management’s strategic thinking and their level of awareness of the possible risks and necessary controls and procedures.”
IoT’s Dynamic Risks
Risks shift over time as technology innovations and the business and regulatory environment evolve. “It is pointless to think that the risks that you have identified with IoT technologies at the start of the implementation process will remain the same a couple of years down the line,” Lovell says. “Internal auditors need to constantly review how IoT is being used — and under what circumstances and by whom — and assess whether the technology is still fit for purpose to meet the needs of the business.”