Cybercrime, the IoT and Jekyll & Hyde in the connected office; Keeping our businesses safe - by Nadine Cino

None of us want to feel that we must choose between being connected and being protected.  

Given the history of cyberattacks and data breaches which have left multiple global corporations affected – and many other companies which may not have made the news no less adversely affected – it’s a useful business exercise to think about how that occurred.  As we look more and more towards the Internet of Things (IoT) to help us measure and manage myriad business processes, we must secure that data against the malware of the IoT in order to protect our businesses and employees, and keep them safe.  So, although the IoT can be Jekyll, it can, in combination with malware, become Hyde in the time it takes to write a string of code. 

We can probably all agree that the much famed video of the Wired reporters jeep being hacked through the AC unit while driving is possibly more “sensational” than indicative of a widespread problem.  However, nonetheless, it speaks to the inherent vulnerability of the “Hyde” side of the IoT, as the key to hacking that jeep was through the internet – the same internet through which smart office HVAC, LED and other management systems are connected.1 

The next generation of artificial intelligence (AI) innovation has the potential to even more effectively open backdoors into connected businesses.  The cost of cybercrime and the security measures meant to prevent it are increasing, and businesses are under pressure to improve system security and data protection.  

Yet, some say that private industry has so far not taken the threat seriously or invested enough to proactively address it.  What makes addressing the “Hyde” side of the IoT so challenging is that businesses must address themselves to the task of analyzing and creating a strategy for defending IoT devices that are currently connected using a variety of non-standard or customized operating systems.

And the challenge will only continue to grow in magnitude, as according to Gartner, the number of connected devices on the IoT is predicted to reach 20.8 billion by 2020, and 5.5 million new things will get connected every day.  

Gartner makes a point that we should consider that there are two classes of connected things:  

“The first class consists of generic or cross-industry devices that are used in multiple industries, and vertical-specific devices that are found in particular industries. Cross-industry devices include connected light bulbs, HVAC and building management systems that are mainly deployed for purposes of cost saving. The second class includes vertical-specific devices, such as specialized equipment used in hospital operating theatres, tracking devices in container ships, and many others. Connected things for specialized use are currently the largest category, however, this is quickly changing with the increased use of generic devices. By 2020, cross-industry devices will dominate the number of connected things used in the enterprise,” said Mr. Tully.2 

Some measures that can be considered follow the footsteps of business leaders: 

• Establish “bug bounty” programs to reward individuals that find and report security flaws. 

• Connect all IoT devices through a separate, stand-alone internet framework and process data at the cloud level.

• Consider that the OWAP project may a good resource for your business, having produced several reports on IoT testing guidelines, IoT security guidance, principles of IoT security, IoT framework assessment, and developer, consumer and manufacturer guidance.3 

• Blockchain architecture.

• Encrypt source data.

• Encrypt transaction data, typically referred to as tokenization, similar to process used in “apple pay” and bitcoin.

Lastly, yet not least, in addition to the various means of keeping our businesses safe and through the deployment of successful cybersecurity measures – sustainable, it is also a useful aspect of this exercise to take into account a report written by Forrester,4 that “all data theft is an insider job,” and an insider can be any “employee, contractor, partner, or vendor who has access to your firm’s data and systems.” According to the report, there are three broad categories of insider data theft: a) the “good guy” who makes an honest mistake (56%), a malicious actor who appears to be a good guy (18%), and the intentionally malicious insider (26%). 

With vast promise ahead to transform businesses, and embrace the benefits of IoT Jekyll – while remaining alert to IoT Hyde (also insiders per Forrester report) – it is up to us to maximize the opportunities presented by both.  It is in better understanding Hyde that we can innovate, better protect and make safe Jekyll. 

Footnotes:

1. https://techcrunch.com/2016/08/25/the-biggest-threat-facing-connected-autonomous-vehicles-is-cybersecurity/

2. http://www.gartner.com/newsroom/id/3165317

3. https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

4. https://reprints.forrester.com/?aliId=79435813#/assets/2/582/’RES134865’/reports

Nadine Cino LEED AP, is CEO and co-inventor of both TygaTrax and TygaBox, New York, N.Y.