IoT: Do Risks Outweigh Benefits?India's CISOs Not Yet Prepared to Embrace IoT Trend
Many forecasts call for 2015 to be the year of the Internet of Things - a year for IT security professionals to find themselves stretched to cover activities outside their usual responsibilities.
But are Indian security leaders prepared to embrace IoT? Not according to interviews conducted in response to a recent ISACA survey on the topic. The IoT risks, for now, outweigh the benefits, these leaders say. And they fear that the trend may lead to an increase of security threats within the enterprise, as well as a decrease of personal privacy.
"IoT is a good topic from a discussion point of view, but not from the adoption standpoint," says Mumbai-based Sanjay Sharma, associate director and regional security manager, Asia Pacific, at Merck Ltd, a pharmaceutical company. "Indian enterprises are nowhere near to dealing with the threats or data breaches arising out of inter-connected devices and sources."
The IoT Challenge
Gartner defines IoT as: "the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment."
In practical terms, IoT includes everything from personal medical devices to smart cars and Internet-enabled consumer appliances, such as televisions and refrigerators.
ISACA, the information security professional organization, recently conducted a 110-country 2014 ISACA IT Risk/Reward Barometer survey of IT and security pros and found that these individuals have conflicted feelings about the benefits of connected devices. Most IT departments are still not ready for the IoT, the survey finds, because CISOs fear IoT adoption will increase security threats.
Among the survey's findings:
- 37 percent of respondents see IoT as the top challenge for organizations, owing to increased security threats;
- 28 percent expect IoT adoption to result in data privacy issues;
- 36 percent believe the risk associated with IoT would outweigh the benefits.
"One of the biggest takeaways from this year's study is the significant gap between people's concerns about protecting their data privacy and security versus the actions they take," says Vittal Raj, international vice president of ISACA. "Businesses need to address this gap by aggressively educating customers and employees about how they can help reduce the risk or minimize the impact of data breaches or hacks by adopting IoT."
In discussing IoT, some regional experts argue that, in India, the practice of privacy protection is not fully embraced, except by industries such as telecom, which are regulated. Hence, trends such as IoT will pose new challenges for CISOs.
"There is an imminent requirement for awareness on privacy and formalizing privacy laws in Indian organizations," says Mumbai-based Durga Prasad Dube, senior vice president and security head at Reliance Industries. "Maybe [Indian organizations should] create a privacy office which can define IoT projects, policies and procedures and make CISOs responsible for securing the environment, all of which is still a distant affair."
Experts say some CISOs are apprehensive about IoT because all Internet-enabled devices can be used by attackers as zombies, so being prepared for large-scale attacks is a huge challenge. Others maintain that their BYOD policies do not allow the use of IoT devices - particularly wearables - because of security concerns.
Dube agrees that BYOD becomes a bottleneck for the adoption of IoT. "It is important for CISOs to fortify sound controls around BYOD, get the necessary feedback from the stakeholders and then develop policies around IoT project or using personal wearables," Dube says.
Planning for IoT?
Despite the IoT challenges, according to ISACA's survey, 31 percent of respondents still seem to be lured by this trend and said they planned to leverage it.
A word of caution from Sunder Krishnan, chairman of ISACA's India Growth Task Force: IoT should emerge as a strategic initiative, not a tactical plan.
"Companies should take an 'embrace and educate' approach to these devices by creating clear policies and educating employees on appropriate use that can result in increased productivity - a benefit to the enterprise," Krishnan says.
Merck's Sharma says security teams must take the lead here and define the course of action to deploy IoT.
"CISOs must take a holistic approach to understand risk management, IT and compliance, and use a collaborative mechanism to monitor every aspect of the project and prescribe zero tolerance towards any violation of any clause of the security policy," Sharma says.
When it comes to secure IoT, ISACA's Raj recommends that CISOs look at leveraging security knowledge platforms and professional programs to understand the nuances of IoT and methods to secure the environment.
"Every enterprise should make its security portfolio agile by building the skills of its employees at various levels and equip them to tackle all kinds of threats," Raj says.
Some security leaders also recommend developing a security standard for IoT device vendors, creating authentication and encryption standards for all devices and middleware to address secure communication, data retention and privacy.
And with IoT comes the need for a complete overhaul of the employee education process.
"The education should be on how to use IT securely in any new technological environment," Dube says, "rather than the policy or its guidelines, which would be more holistic in nature."