The Internet of Things is a novel and rapidly evolving field making IoT security highly topical and yet, as with cybersecurity last month, it was something of a challenge to prepare a coherent, concise and valuable set of security awareness materials.
In researching the topic, we discovered surprisingly few companies marketing various smart and mostly geeky things, a few news articles and lightweight gee-whizz journalistic pieces, and some almost impenetrable academic and technical papers about the technologies. Enterprising hackers are already exploring IoT, discovering and exploiting security vulnerabilities ostensibly for education and demonstration purposes, at least for now. Shiny new things are appearing on the market every week to be snapped up by an eager if our naïve public.
IoT presents a heady mix of risks and opportunities, with substantial commercial, safety, privacy, compliance and information security challenges ahead, and sociological implications for good measure. In a few years’ time when both things and IoT incidents have become commonplace (despite our very best efforts!), we may look back in amazement at the things we are doing today … but we are where we are, things are spreading fast and the risks are multiplying like salmonella on a Petri dish.
An IoT security awareness module is timely.
To prepare the materials, we took a back-to-basics approach, identifying and describing a wide range of risks associated with or arising from IoT as a starting point. For the staff stream, we focused on consumer things including smart home and wearables. For management, we discussed the commercial, strategic and policy concerns with IoT and IIoT (Industrial IoT). While it would have been easy just to highlight the security and privacy angle, we also discussed the business opportunities that arise from innovative things. Finding the right balance between risk and opportunity, or security and creativity, is the key to exploiting the amazing possibilities of these exciting new technologies.
September’s NoticeBored module addresses the following generic learning objectives:
- Introduce IoT, an emerging and rapidly evolving field, explaining things, ubiquitous computing, mesh networks, IIoT and so forth;
- Outline the personal and business benefits driving IoT and IIoT adoption, touching on commercial opportunities, industry pressures and technology constraints plus wider societal issues, privacy concerns and so on;
- Explain the information risks arising from or relating to IoT & things, illustrating the threats, vulnerabilities and impacts with news of real-world IoT incidents, attacks and malware;
- Emphasize the four possible means of treating the risks (more than just security controls!);
- Encourage the workforce to consider and ideally address the information risks, security and privacy aspects of IoT and things, going beyond mere ‘awareness’.
IoT security is the 56th topic in our steadily growing portfolio of information security awareness materials. We're already working on another new topic for next month: 'rights and privileges' are core to IT security, crucial to logical access management, and important concepts in a much broader sense.
Could your security awareness program could do with a kick up the wotsits? Wish you had the time and energy to research and write about emerging information security challenges? With 56 information security topics covered already and more on the way, there's sure to be something right up your street. Email me to evaluate and subscribe to the NoticeBored service. How can we help?