In October of last year, news of a widespread hack proved what many industry experts and Internet of Things (IoT) skeptics have feared for years: Despite its enormous promise, there are more security threats and questions than reassuring answers, never mind safeguards. Perhaps this changes soon.
I'm no hacker, but I know a thing or two about basic security. For starters, once a bad actor enters a network – be it home, corporate or government – the means by which s/he gains access isn't terribly material. That is, there's no preferred seating. Bad guys may well be able to go anywhere once they've entered the building. As my friend, noted security expert Mike Schrenk told me:
Attackers get permissions equal to those of the account(s) they penetrate. For example, if they compromise a web server, they may have the same permissions that the server had. If, on the other hand, a root account is exploited, then they can access everything.
Here's the rub: As the recently publicized – if not recently reported – Yahoo! hacks have confirmed, we're not even terribly adept at protecting mature technologies (e-mail) and devices (computers, smartphones). This leaves me with several chilling questions:
- What does that say about our ability to protect nascent tchotchkes such as smartwatches, Fitbits, refrigerators and their ilk?
- Moreover, what does this portend for organizations intent on compliance and maintaining privacy – or at least trying to do so?
It's always been difficult for organizations to play defense against those who want to do harm. To be sure, that's certainly the case today. What's more, it's obvious that an organization need not be guilty of malfeasance to subject itself to scrutiny. Recent lawsuits against Google, Twitter and Facebook manifest that an enterprise need only (allegedly) practice mere negligence to incur the wrath of the media, citizens and consumers.
Put differently, in today's environment, an organization can face considerable problems not only by failing to act, but by failing to act quickly and substantively enough. And make no mistake, this reality has major ramifications vis-à-vis compliance and privacy. No CEO wants to face questions from Congressional committees looking to score points with the public on highly publicized breaches.
Simon says: Be paranoid.
I certainly don't possess all of the answers on how organizations and their executives ought to comport themselves in these highly volatile times. Maybe it's an overstatement to say that only the paranoid will survive, to paraphrase Andy Grove.
As we adopt common standards around the IoT, maybe security becomes easier. Until that time, though, tread lightly. Listen to experts. Assume that the worst can happen. As for compliance, it may be boring, but it's also essential. Do more than what government agencies require. Tech is moving far faster than the public sector can handle regardless of the promises or assurances of political leaders who may – or may not – understand the situation.
What say you?Read – IoT success depends on data governance, security and privacy