Today’s cybersecurity threats have matured well beyond viruses, and the stakes have grown too. While cyberattack on users’ identities and bank accounts continue to dominate headlines, it is no longer just data that’s at stake as the Internet of Things (IoT) continues to spread. As the IoT infiltrates every aspect of our lives – workplaces, cars, homes, hotels, malls and airports – cyberattacks could result in our physical infrastructure being compromised, which could result in lives being placed in physical danger. Businesses, government organisations and consumers alike need to know what to look out for in order to survive and avoid falling victim to cyberattacks. This requires a new approach to cyber security in light of IoT – trust no one and no thing.
New opportunities, new risks
With billions of connected devices already on the market, it’s not long now before Cisco’s 2020 prediction of 37 billion connected things on the Internet becomes a reality. We are moving towards connected homes and smart automated building environments in which physical infrastructure elements are all connected to the IoT. However, what makes IoT different from the conventional Internet? What sets them apart boils down to people and a need for human intervention in order to function. Unlike the conventional Internet, the IoT is not dependent on people to work.
With IoT, sensors on devices, machinery and infrastructure collect, share, analyse and act on information. This makes it possible for new technology, media and telecoms businesses to create new ways of doing business and offering innovative services to their customers. It also enables machines to do jobs that are not safe for humans to do, in the mining and manufacturing industries, for example. Despite the fact that IoT-based solutions are still emerging, IoT-related incidents will only increase as more objects become connected. Although making great strides in enabling operational productivity and collaboration by implementing IoT-based solutions, businesses have yet to properly consider the impact of the IoT on their networks, and it is time for them to do so now.
It’s an issue of trust
Previously, whether at a corporate or home level, the approach for cyber security was based on the assumption that threats would come from the outside, and it was thus safe to trust everyone and everything inside the network. This is no longer our reality, and just because a device is inside a network does not mean can be trusted. Instead, it’s important for an organisation to identify exactly who and what on their network can be trusted, and regard everyone and everything else as a potential threat. Trust no one and trust no thing. At a business level, this requires a strategic shift in the approach to cybersecurity that actually changes the way data and systems are protected.
Making this change requires the organisation to understand the various aspects of their systems and networks and put controls in place to separate these from one another. A flat network for systems is no longer safe, and businesses will need to define different layers of access and segregate different zones or security spheres within the network. Each of which should have different rules of engagement and access. By applying the security principles of role-based access, it becomes possible to control who has access to what within the network. It is advisable to perform this task with the notion that this happens on a ‘need to know’ basis. In other words, employees should only be given access to network resources and the business information necessary to complete their jobs, and nothing more.
No need to go it alone
It is also important to bear in mind that just as quickly as cyber threats grow and evolve, so too are the technologies used to protect and defend against them. Automated cybersecurity solutions are getting smarter by the day thanks to artificial intelligence, however unless companies actually change their approach to security, this will be of no assistance to them. The International Data Corporation has predicted that by 2018, two-thirds of corporate networks will have had an IoT security breach. With this in mind, it is advisable for businesses to perform a proper risk assessment as soon as possible. This will ensure that the technologies and solutions they choose to protect their business and employees is properly aligned with the specific business environment and is tailored to its unique risk factors. Companies will have to critically examine the impact of new IoT devices and solutions on their network, in light of their newly-adopted cybersecurity approach to trust no one and no thing.
By Simeon Tassev, Managing Director and QSA at Galix Networking