The speed at which connected technologies are being embedded into the operations and products of big business presents an abundance of both opportunities and risks. Richard Robertson, Global Head of Information Security at Pro Global, demonstrates how innovation is inextricably linked with potential risk failings when it comes to IoT.
In his latest book, the arrestingly titled Click Here to Kill Everybody, InfoSec guru Bruce Schneier suggests that in the near future doctors’ surgeries will have bio-printers and should they be hacked it could be possible for human viruses to be synthesised and distributed globally creating a pandemic.
I’ll give you a moment to recover if you just spilled your coffee in shock.
Why would such an eminent security practitioner feel justified in making such an alarming claim? With the Internet of Things (IoT), such a scenario is unfortunately far from the unlikely nightmare it may appear to be.
Let’s take a step back. There’s no mystery to why big business is bullish on the IoT. The number of connected devices is astonishing and has already surpassed the number of people on the planet – pens, cars, coffee cups (yes really – not quite yet but soon), even t-shirts.
Projections anticipate the figure growing to 21 billion devices by next year, potentially ballooning to over 100 billion by 2025. This new interconnected IOT reality is undoubtedly exciting – for our personal lives as well as healthcare, manufacturing, transportation, all commercial sectors and governments.
But the benefits made available by connecting devices capable of ‘smart’ behaviour are matched by serious dangers. Each of these devices is a potential entry-point for an attack by hackers. And according to multiple studies, around 70% of the most commonly used IoT devices have significant security vulnerabilities.
As the adage has it – you can have good, cheap or fast, but you can only pick two. Current news stories and market theory shows that in the rush to create new products, cheap and fast will win the race.
And it doesn’t take a rocket scientist to know that it is unlikely that cheap and fast products will offer advanced security protection from hackers.
The usual password protection on our devices is already failing. Default passwords are often left as default permanently, meaning the devices are forever highly vulnerable to attack, while security measures like two-factor authentication is only just starting to catch on – way behind the proliferation of smart devices in our homes and places of work.
Until this burgeoning mountain of vulnerable devices is secured, almost anything is open to attack, including baby monitors and even cars. One thing we can be sure of is that this is not a problem that will disappear quickly. Combined with global marketing plans, could we be moving apace towards Bruce’s printer pandemic scenario?
Billboards guess your salary
In 2015, a billboard was a billboard. In 2019, billboards are starting to contain computers which recognise you and tailor advertising to you. Yes that’s right, just like Tom Cruise experienced in Minority Report, except you could be experiencing it sooner than you think.
Your phone will share data with the billboard and the billboards owners whose computers may then be advised of your precise movements, shopping habits, likely income and possible holiday destinations. This information will come not just from fitness apps and travel booking sites but free-to-play games and even the meta data hidden in your photographs edited with bunny ears.
The death of privacy?
When such data is fully anonymous, companies can use it sell to large market segments. But far more valuable, and historically more difficult to get, is data that relates to us as individuals.
When a supermarket knows your favourite tipple they can offer you completely personalised deals. It’s great business. But it also means that any information that’s tracked about us can be linked back to us.
This can be calls you make, texts you send, food and clothes you buy, photos you take and even the conversations you have. Once your connected devices are happy talking to each other, the picture of you available to corporations and national and local government departments will be more detailed than you could ever imagine. And it’s for sale. Privacy, or our traditional offline concept of it, is dying.
As ever cheaper devices invade our every moment – the word infest was used at a recent security conference – they will become more and more embedded. We will likely barely notice the encroachment but they are coming and this is important when it comes to security.
Back to Bruce’s killer viruses
And so, back to printers. In 2017, over a weekend someone hacked hundreds of thousands of printers, forcing them to print nonsense messages. 3D printers could be similarly vulnerable, but what if we consider bio-printers?
While bio-printers are still in their infancy in 2019, imagine a future where they are in every hospital and surgery. A remote hacker could force a printer to produce a lethal virus, for instance. If the virus spreads widely enough and infects enough people we might wish big business had heeded Bruce’s warning. How on earth will the insurance industry respond to such a scenario?
Cyber risk assessment is not a tick box exercise
Due to the level of risk that goes hand in hand with the exciting opportunities presented by the IoT, vulnerability and emerging threat discovery assessments should be included when a company is carrying out its cyber audit.
When it comes to reviewing these hyperconnected technologies businesses are reliant on for the smooth running and future success of their services, whether it be in healthcare, manufacturing, transportation or in government, cyber audits will require more than just a soft touch. They need to be considered more than just a box ticking exercise.
While general cyber security audits will only provide a general snapshot of a business’ cyber security, at Pro we provide greater insight and solutions into how best to improve cyber health and, with our expert partner Cyber Security Associates, allow for 24/7 monitoring of a business’ systems to identify and mitigate attacks.
You may not be insuring bioprinters yet, but there are likely vulnerabilities in your current systems that a box-tick cyber audit won’t expose.
For information on how we can better assist you with an independent, comprehensive cyber audit, contact our dedicated team: http://www.pro-global.com/uk/what-we-do/cyber