By Ofer Maor, Director of Solutions Management at Synopsys
The Internet of Things is transforming our world by offering a wide range of smart devices which can do things better, faster and easier for us. In our personal lives this manifests itself through personal assistants such as Alexa or Google Home, through smart kitchen appliances and smart lighting, all of which are already gaining tremendous popularity.
But IoT is even a bigger game changer with businesses, small and large. From barcode scanners to location trackers, to internet enabled devices and all the way up to connected manufacturing machines and power stations.
As this space is growing, the question of whether organisations should adopt IoT or not is no longer present. Failing to adopt these modern technologies and capabilities will leave your business behind and offer your competitors an advantage in the market. Nonetheless, adoption of these technologies exposes your organisation to a completely new set of security threats.
As we have previously seen with emerging technology (as in the case of early days of websites and mobile applications), there are several repeating dynamics which influence security, such as rapid innovation, lots of new players in the market and lack of awareness.
The first two drive vendors in this space to value speed to market over many other priorities, including security, as they are facing fierce competition. Whereas the third one makes it even more likely for them to insufficiently invest in security, as they are writing their code or integrating third party open source into their product. This results in a higher than wanted vulnerabilities and risks introduced by these new products and devices, which of course pose threat to your business.
Luckily, businesses, especially larger ones, are in far better position to deal with it than the consumer market and it can help create the right program for reducing these risks while still enjoying the benefit this new world offers. Here are some practical tips for adoption of devices in this space.
The first thing to pay attention to, of course, is who are you buying from. While the pressures on all vendors may be the same, some have more consideration to security than others. Try to buy from respectable vendors with proven track record in the market. Don’t be afraid to ask them about their security program. Better vendors will be glad to share summaries of their software security programs, showing that they regularly test their code for security vulnerabilities and fix them when they are found.
Having said so, it is also recommended to perform your own testing. As you consider procuring a new technology, it is advisable to perform some sort of security testing on it to see whether it holds up at least to a reasonable level of hacking attempts. A simple engagement can save a lot of money and work in the future. Moreover, when procuring larger deals with broad organisational adoption, it is highly recommended to add contractual commitment by the vendor to fixing any security issues which may arise in future testing (as some surely will).
Finally, as with any good security policy, plan for breach. This is true in almost any space in the cybersecurity world, but with emerging technology it is even more important. Planning for breach does not mean you need to prevent new technologies from coming. It simply means adding additional layers of security around it. Use network and device compartmentalisation to prevent propagation of potential breach, and make sure to include some technologies that can monitor for attacks and vulnerabilities and alert in such a case. Most importantly, with all that in place, make sure you have a great incident response plan in space, to deal with such a potential breach quickly and efficiently if and when it will occur, allowing you go to back to your day to day efficiency as fast as possible.”