This week I attended the AuditWorld 2018 conference in Las Vegas, a gathering of several hundred audit and IT security executives to swap insights about cybersecurity and internal control. I wandered into a session about cybersecurity concerns for “the Internet of Things” — and wouldn’t you know it, a conversation about policy and vendor risk management broke out!
So if compliance officers want a briefing on how the Internet of Things might creep into your company and bring a bundle of compliance concerns along with it, listen up.
The first challenge is define what IoT actually is. That alone can be complicated, because most people hear the word “things” and assume “object.” Our minds immediately conjure up the Amazon Alexa sitting on your kitchen counter, the Apple TV in the conference room, or maybe a vehicle with satellite-based Internet connectivity. It could even be a medical device in your body or sensor on the wall.
My own definition had been, “an object that generates data about its operations, which can be transmitted wirelessly to other software systems via the Internet.” Pretty good, I thought.
Then moderator for our session — Deral Heiland, a research lead at IT security firm Rapid7 with a handlebar mustache that dangles at least 10 inches off his face — set us all straight. For the purposes of security, audit, and compliance, we need to think of IoT as a whole technology system.
In other words, the gizmos in our homes, offices, cars, or anywhere else are only the “T” in IoT. We still have to worry about all the data and software that make the gizmo run, and those things can be anywhere on the “I” of IoT. The device might be on your office conference table, processing data stored in the cloud, managed by software sitting in an IT closet down the hall.
So as dorky as the phrase “whole technology ecosystem” sounds, that’s the concept audit and compliance professionals need to keep in their heads. How do we secure and manage everything that makes this IoT device run as intended? That’s the question you need to ask.
For example, a biology lab might have blood samples stored at a specific temperature, with IoT-enabled thermostats on the wall. Even if the thermostats themselves are secured from improper access, the most serious risk could be the security of your cloud-based data storage vendor: I could hack into that vendor, alter the data so the management software believes the temperature is 35 degrees; and then the thermostats turn on the heat and ruin your samples.
That is a risk created by hanging an IoT device on the laboratory wall, but the risk doesn’t exist within the device itself. It exists by unauthorized users manipulating the whole constellation of data, software, and hardware to produce an unwanted result.
IoT Auditing and Compliance
If that’s the true nature of security risk for IoT, several concerns become more prominent. Some are more relevant to security officers, others to auditors, and yet more to compliance officers.
For example, policy management around Internet of Things will become crucial. Senior executives need to decide how they want the company to handle IoT — because if that message doesn’t come down from the top of the organization, IoT devices will start showing up on their own at the bottom.
On the other hand, Heiland said, if the organization embraces IoT from the top, then it can embrace all the attendant IoT security and audit issues at the same time. So go ahead and embrace IoT, but embrace it smartly.
Still, the questions remain. What will be the company’s policies about IoT in the organization? Who will perform a risk assessment of an IoT device? Of the software that might run on the device? Of the technology controls that might connect the device and its software to your IT network? Who will decide proper and improper configurations of IoT systems? Who will test those configurations?
Compliance officers can’t do any of that work themselves. They can, however, lean on the company to ensure that those questions get asked and answered.
The IoT world also means that patch management for software fixes will become more important. Does the company have a policy (and procedures in place) to patch software fixes automatically? Usually that’s the smart move, but let’s also not fool ourselves — employees rarely audit those patches before we implement them. As one person in my AuditWorld session said, “I have no idea whether these patches work. I still implement them.”
The situation is even worse for technology vendors you use, since you have almost no visibility into their security systems and patch management — but the tech services they provide to you might be crucial to using IoT at your business. So now we’ve opened a can of worms with third-party oversight and trusted vendors.
And while these are all very valid security concerns, they’re still operational concerns. We haven’t even begun talking about regulators’ interest in IoT, mostly because regulators themselves are still struggling to define what proper security and liability should be. Or the strategic risks that come along when digital processes meet physical assets companies use to make money.
All something to think about when you relax at home tonight. Perhaps you can ask Alexa for its opinion.