The IoT and perimeter security: a hole in the wall? – Part Two
Simon Gawne Tyco
In the first part of this two-part series, Tyco’s Simon Gawne examined the technical obstacles to a cyber-secure IoT-based security network. Here, he outlines the cultural changes which organisations must go through if they are to ensure that every entry point is effectively guarded.
A change in business culture
Firstly, it is crucial to ensure a cohesive security strategy within the organisation across both the digital and physical spheres. As the IoT becomes more ubiquitous, the role of the traditional security team remains central, but with new definitions of security, that role is now joined by a host of others. In most organisations, professionals from IT and other departments are also now in prominent security-related roles.
In many cases it is still true that there is no one in a better position to lead overall security efforts than the experienced security director. However, it is equally true that, in order to do so, he or she must now be the leader of a multi-disciplinary team, with a group of professionals delivering what might be to them unfamiliar types of expertise. Moreover, that team will likely be located at several different facilities, so effective collaboration and information sharing are essential.
In order to lead these newly expanded teams, many security directors may need to expand their knowledge base first. This does not necessarily mean having to become an expert in the IoT, but for many security professionals it will at least mean gaining a better understanding of the technologies involved.
This can be done readily through training, and many large organisations in the security industry offer courses that can help close the gaps in a security professional’s knowledge. These resources are often especially geared towards the needs of experienced, on-the-job professionals.
Practical steps
What does this mean when applied to security products at a very basic level?
Firstly, keeping confidential information out of the hands of those to whom it does not belong. For example, when looking to implement a camera, be sure to consider whether authentication is required to view the video. This is such a simple yet often overlooked step – in fact, there have been websites created that are dedicated to showing the live feeds of security cameras that don’t require passwords!
Next, access control systems are of vital importance to IoT devices. Allowing unvetted actors to make changes to the database could create loopholes which would allow an attacker to gain physical access to the building.
Also, making sure the device is available and continues to function is probably the most important for security products. While DoS (denial of service) attacks are headline grabbing, functional errors in the product are the most common cause of compromised availability. For example, an intrusion system that fails to detect a sensor going offline, or an access control system that cannot operate during a network or power failure can lead to a security downfall.
Security must always take into account the risk from internal threats as well. A Ponemon Institute study showed that “malicious insiders” were the most expensive form of risk for an organisation when weighted by attack frequency, and were also the longest attack type to resolve. It’s therefore important to make sure any products you select can be set up with controls that separate responsibilities for individual users.
Finally, remember to ask about third-party assessments. Does the supplier undergo independent assessments of its products? More importantly – and an often forgotten question – do they then take the proper steps to resolve the issues found?
Uniting the business behind security
Ultimately, with the introduction of the IoT, cybersecurity is no longer static. Entry points to the network can be spread across a huge area, and new vulnerabilities and exploits are uncovered every day. A successful IoT security response plan requires a dedicated, multi-disciplined team with the capabilities to assess and mitigate issues when they arise. When executed properly, the team should be able to respond the same day.
It is therefore the security director’s imperative to open, and, hopefully, lead, the dialogue with IT, logistics and other security-related operations on how to integrate IoT-based security applications with the rest of the business, and improving how risk is managed overall.
Security professionals need to take the lead and initiate the discussion. They can offer a security roadmap and business plan to leaders in other departments and see where plans intersect, and how they can work together to provide the best overall security for the enterprise.
The introduction of the IoT into such a long-standing tradition as perimeter security can bring with it technological challenges, culture clashes and difficult process changes. However with connected technology becoming increasingly important to a fully functional defence, it’s essential for security teams to take the initiative now and collaborate with colleagues across the business to ensure all entry points are covered – not just physical doors.