Welcome to the SecAware blog

I spy with my beady eye ...

4 Jan 2018

NBlog January 4 - IoT and BYOD security awareness module released

The Internet of Things and Bring Your Own Device typically involve the use of small, portable, wireless networked computer systems, big on convenience and utility but small on security.  Striking the right balance between those and other factors is tricky, especially if people don’t understand or willfully ignore the issues – hence education through security awareness on this topic makes a lot of sense.
From the average employee’s perspective, BYOD is simply a matter of working on their favorite IT devices rather than being lumbered with the clunky corporate stuff provided by most organizations. In practice, there are substantial implications for information risk and security e.g.:
  • Ownership and control of the BYOD device is distinct from ownership and control of the corporate data and IT services;
  • The lines between business use and personal life, and data, are blurred;
  • The organization and workers may have differing, perhaps even conflicting expectations and requirements concerning security and privacy (particularly the workers' private and personal information on their devices);
  • Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often physically remote, markedly changes the organization’s cyber-risk profile compared to everything being contained on the facilities and wired LANs;
  • Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc., and security of course.  Complexity is the information security manager's kryptonite.
IoT is more than just allowing assorted things to be connected to and accessed through the Internet and/or corporate or home networks.  Securing things is distinctly challenging when the devices are technically and physically diverse, often inaccessible with limited storage, processing and other capabilities (cybersecurity in particular).  If they are delivering business- or safety-critical functions, the associated risks may be serious or grave.
It strikes me as odd that risks to the critical national infrastructure resulting from the proliferation of IoT things are not higher up the public agendas of various governments. I have the uneasy feeling that maybe the authorities are wary of drawing attention to the issue, except (hopefully!) in private dealings with the utilities plus defense, finance and healthcare industries. Conversely, I could be mistaken in believing that IoT is substantially increasing information risks in industrial situations: perhaps the risks are all fully under control. Perhaps pigs have wings.

Subscribe to the NoticeBored service to boost your security awareness program and catch imaginations with creative content, fresh every month.

No comments:

Post a Comment