Three Ways to Reduce Risk While Transitioning to IoT

The Internet of Things is redefining security, risk and cost at many public and private enterprises. Thankfully, new best practices for risk mitigation, privacy protection and cloud management have emerged.
Published: February 17, 2016

The U.S. federal government has begun to explore the benefits of the Internet of Things for citizens through public-sector initiatives, including smart parking systems, smart metering, home health care and variable road pricing. Given the depth and breadth of these systems, the government may have the best vantage point on the governance, risk and implementation impacts of the IoT.

The interconnected systems supported by the IoT make it possible for the government to streamline operations in new ways, such as improving employee productivity and reducing operating costs. IoT systems also offer the opportunity to enable more effective communications to connect the defense communities scattered across the globe.

As federal agencies begin to collect citizens’ personal data via the IoT, compliance and security will become key for ensuring citizen trust. However, IoT systems, as they are currently designed, present challenges when it comes to forming overarching compliance requirements. For example, many IoT devices have not been designed with patch-management capabilities. In other cases, IoT devices may not audit the data they collect, even if that information requires a forensic trail, per compliance regulations.

Government agencies are obliged to issue system of record notices, describing how citizen data is collected and used. Furthermore, compliance with National Institutes of Standards and Technology (NIST) guidance requires that annual interconnection agreements be signed and maintained. An interconnection is defined as the direct connection of two or more IT systems for the purpose of sharing data and other information resources. Clearly, the government’s IoT systems fall under these requirements.

For enterprises, the collection, via IoT systems, of data related to personnel generates a number of corporate governance issues. As IoT devices are connected to cloud-based computing systems, used within and for the government, current security policies will likely change, as they did following the emergence of cloud-based systems. In spite of the attractive benefits of the IoT, government leaders implementing new IoT practices need to devise policies that help identify and allocate the changes from current compliance and security practices.

IoT systems will force the private and public sectors to generate new practices in cybersecurity, compliance and privacy. Discussed below are key security best practices that will help government agencies and commercial users manage their early IoT strategies:

Rethink Management of Cloud + IoT
From a cybersecurity perspective, once organizations are using cloud computing and IoT systems, they need to think about how to secure multiple connection points, as well as the metadata and the automated or sensor-driven data obtained and stored.

This transition poses a host of new threats and challenges. New access points, new transmission types and new data storage centers all provide ways for adversaries to infiltrate the system and steal your most valuable data, intellectual property or trade secrets. Technology teams will need to implement a completely new approach to security, and can no longer simply buy a plug-in or an add-on to an existing system for protection.

Commit to Next-Generation Risk Assessments
From a business perspective, ongoing assessments of risk and regular reviews of security processes and policies are necessary to demonstrate due diligence in protecting the data. Risk assessments for IoT devices will likely require the inclusion of specific metadata controls—derived information controls, including designations of data ownership and/or claims of non-responsibility for third party information uses. These risk-assessment methodologies will likely undergo the most change during the next one to three years as implemented IoT technologies provide new lessons learned and case studies. Additionally, new security controls and processes will be required, as well as a greater awareness of complex and compounded risk management.

Liability, financial penalties and costs will also become more directly assessed as part of IoT-related risk.

Understand Emerging Obligations for Data and Privacy Protection
From a big-picture perspective, the global debate regarding the meaning of privacy in a world of greater transparency has only just begun, and businesses have yet to adapt to new trends and regulations. Technologies like the IoT are redefining the rules around data ownership and protection. Key to this transition will be any regulations from the Federal Trade Commission (FTC) on consumer protections.

As the FTC and other compliance-setting agencies define tighter rules surrounding data privacy, businesses need to understand their obligations and liabilities. The true IoT end-users—business divisions, marketing groups, and other internal and external service groups—will consume smart technology and enterprise data in new ways. The managers and administrators of IoT systems need to be adequately informed regarding how the data is being collected, who has access to it, and how it’s being stored and secured, in order to protect privacy agreements and proprietary information.

Similar to the Cybersecurity Framework, established by NIST, that offers common standards and foundational security best practices, the government can be instrumental in guiding the formation of IoT security controls. Much like the implementation of the first Federal Information Security Management Act (FISMA) of 2002, there will be some struggles to address governance, compliance and adaptations to the guidance currently in effect. To accomplish that, government agencies will, first and foremost, need to learn from their past and lead by example.

Maria C. Horton is the president and CEO of EmeSec, a cybersecurity professional services firm. Horton founded EmeSec in 2003 after retiring from her post as a CIO of the U.S. Naval Medical Center.