Trend Micro recently surveyed 1,150 IT executives globally. We found a gap between the perceived risk from IoT and the planned mitigation for that risk. Most senior executives recognize that IoT can introduce security risk to the organization, but few will invest resources to remediate that risk. Click here for more details. Senior leadership should perform an IoT Gap Analysis on their IoT risk vs. remediation plans.
Your Gap Analysis should look at two things. First, discover the perceived risk of any IT-connected IoT (and Industrial Control Systems generally) held by your senior leadership. Include their understanding of the responsible persons and organizational functions addressing that risk. Compare that with the view held by your supervisors and technicians managing those devices, including the actual individuals and organizations or teams handling the mitigation efforts. Second, assess the investment in mitigation supported by senior leadership compared with the actual steps taken to deploy and use those supported actions by the supervisors and technicians (and anything else they might have innovated, as well).
You are looking for consistency of intent and effectiveness of investment.
Figure 1: Cybersecurity Risk Matrix
When evaluating the likelihood of an event, remember that cybercriminals use automated tools to scan all networks for vulnerabilities. Any Internet-connected, unpatched IoT device has a “High” likelihood of being attacked.
As you stage your remediation activities, start with the items in the top right three boxes, labeled in red. Then address the items on the diagonal. Once you have mitigated the issues in these zones, you can then institute a program of continually monitoring activity that might change the risk profile, and as a result broaden your attach profile. As you roll new technology out, build this assessment into your design or product selection, release, and operations procedures. Verify that your business partners who also use those technologies are in harmony with your security program. Supply chain risks abound in the Internet of Things. Finally, consider the items that fall into the three lower left boxes shown in green.
Use your internal audit team to help your IoT Gap Analysis. They know how to assess program risk, and they know how to talk to technologists and managers. If your organization perceives high risk but does not take steps to mitigate that risk, you may be violating your business partners’ expectations – not to mention their contractual terms, and possibly regulatory or legal constraints.
As you complete your risk assessment, remain pragmatic. It is far better to be generally right than precisely wrong. With a bit of effort, you can justify a cost-effective, comprehensive information security program that will include your ICS, IoT, and existing IT infrastructure.
Let me know what you think! Comment below, or reach me on Twitter: @WilliamMalikTM .