What the C-suite must know about IoT
In October, a botnet of connected things daisy-chained with the Mirai malware knocked sites like Twitter, Spotify, and GitHub offline at various times.
We live in a world where an army of refrigerators, laundry machines, dishwashers, and toasters can take down Amazon and Netflix, at least for a while.
Crazy as the problem sounds when you say it out loud, it can only be tackled in the C-suite.
Three enterprise problems in one
Your leaders need to understand that there are three (very real) threats from IoT:
- Being attacked by an IoT army located anywhere (or everywhere) in the world
- Your own IoT devices being conscripted into such an army
- Being attacked by your own IoT devices
The structural problem
The structural problem is that IT hardware isn’t only being bought by IT anymore. Your facilities team might buy light bulbs with 4G capability. Your marketing department might invest in beacons.
Changing the structure of your business won’t help against the worldwide army, but it will mitigate the danger of those IoT devices attacking you or someone else.
All this means that IT needs to have a say over things—and departments—that it’s not had a say over before.
IT needs to train all employees about what constitutes an IoT device (manufacturers use different marketing terms). There are things everyone can look for, like references to 4G or Wi-Fi on the box rather than “Internet of Things”.
And IT needs to explain that it’s not just being a killjoy. That device with an antenna so it can update its own firmware will sound great to a facilities manager. It’s something anyone in IT can empathise with. But IT also knows that hackers like those antennae, too, because they allow two-way communications that might bypass all network security monitoring controls.
2. Security first
It’s more than likely that your general manager in charge of purchasing hasn’t had to take a security-first view of purchases before when dealing with formerly benign products.
Their Spidey sense might tingle when the facilities manager starts spending $35 on a light bulb, but it won’t be the security angle that has them alarmed. And the facilities manager probably isn’t imagining that a 100w bulb could bring down the IT network.
When anyone in the company heads out to buy an IoT device, they must be made to get IT’s approval. No exceptions.
4. Get C-level buy-in
This is where the C-suite needs to be brought on board, because you’re going to be recommending training (costly) and getting involved in other departments’ spending plans (possible turf war).
Those are hard things to advocate, but the alternative might be explaining how a rogue refrigerator on Level 5 led to the theft of customer data.