If 2015 was the year of the Internet of Things, 2016 could be the year of the hacked Internet of Things. That could mean a lot of headaches for CIOs, whether they're fans of these new devices themselves or will be dealing with employees connecting them at work and managing the potential security exposure that brings.
"The issue to date is that devices are vulnerable just by the fact that they exist and can connect to the Internet," says Jerry Irvine, member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of Prescient Solutions. "Anybody can get to a device if you don't secure them properly."
One of the reasons why it's a big hacker target: It's, well, big. Gartner estimates that 6.4 billion connected things will be in use by 2016, up 30 percent from last year. They also predict that 5.5 million new things will get connected every day.
That's a lot of possible portals for bad players to get in.
The IoT threat
One big problem with these devices, says Irvine, is that they're not always built with security in mind, which is why they can be the backdoor into infiltrating a system that's otherwise guarded.
Think of e-readers, Irvine says. “They're easily hackable because they have no antivirus system, no data loss applications." Another example he gives: smoke alarms. There's no real security protection on them, not like you'd find with your typical laptop or smartphone. If someone gets in through that smoke alarm, and you don't have a wall between where it connects to your computer, that bad guy can get right in.
"Remember, when Target was hacked, they were hacked through their heating and air conditioning system," Irvine says.
However, there are some steps you can take. The first is to keep devices updated. "Operating systems on their firmware become vulnerable," Irvine says. "Updates are made because someone outside of the company has notified the company that there is some kind of weakness."
Another no brainer, he says: a strong password – one that's not also used for anything else, especially any banking programs. As many blockades as your financial institutions put up against bad guys, nothing will stop them if someone yanks your username and password from the database of what you thought was a harmless thing that connects to the Internet.
If you're going to be connecting a lot of smart devices at home – TV, thermostat, baby monitor, garage door opener, these kinds of things – Irvine suggests setting up a separate network from those devices, one that works on Wi-Fi your computer never touches. He recommends a virtual private network (VPN) so that, if one of your new connected things gets infected with a virus, it won't bleed over onto your important devices to grab passwords and sensitive information.
Zulfikar Ramzan, CTO of RSA Securitysuggests thinking hard about what information you're willing to share with these devices, and how you'd feel if the device or the information it's collecting about you were made public. If you don't want that out there, then maybe anything tracking that kind of information isn't something you want in your life. Or at least maybe it’s something you don’t want connected to the Web.
For the CIO
CIOs are between a rock and a hard place when it comes to all of these connected devices, Ramzan says.
"Every single one of these devices can be one or more entry points," he says. "It's one more way for the bad guy to do something and cause problems."
But turning into Chicken Little screaming that the sky is falling because someone syncs his Fitbit through his work laptop may be going a bit too far.
"We haven't seen a large-scale expectation of those risks," Ramzan says. CIOs, he says, "may perceive this to be something to worry about, but there may be nothing today to worry about."
How CIOs will balance the potential risks without being an alarmist is something that will shake out this year. But striking that right balance will be crucial going forward, especially since the potential exposure is huge....and there's no question that most IoT devices need better security.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.