Do You Have Blind Spots In Your Supply Chain?

Avoidable supply chain disruptions occur more frequently than anyone would like. Some of the more recent notable examples:

  • In October 2013, Adobe announced it had been hacked, and subsequent reports showed that not only were over 150 million users impacted, but code to one of their signature products, Photoshop, was released publicly.
  • From March 2013 to July 2014, over 600 people across 29 states were infected with salmonella which was finally linked back to Foster Farms brand chicken.
  • During the 2013 holiday season, 40 million credit card users had their information stolen when hackers accessed Target’s gateway server with credentials stolen from a third-party vendor.
  • In 2015, over 20 million current and former federal employees and their contacts had their information stolen in a massive data breach at the Office of Personnel Management (OPM).

The world continues to get smaller as organizations increasingly rely on integrated systems, multi-tiered and global manufacturers. This dependence is transforming the traditional discussion around supply chain security into a cyber-focused dialogue predicated on security, integrity, resiliency, and quality. Yet, outdated procedures, end-of-life technologies, and stove-piped authorities and processes have led to blind spots within supply chains.  Adding to this is the fact that supply chains are not linear relationships but integrated webs of connections and transparency into those relationships is more important than ever.

With adversaries actively exploiting these supply chain vulnerabilities, organizations should work to protect their critical infrastructure and National Security Systems (NSS). Interos has developed a Global Threat Information Center (GTIC™) that provides a managed service approach to reducing supply chain risk and providing deeper vendor risk intelligence and continuous monitoring. Our unique approach allows organizations to identify and provide proactive supply chain risk management (SCRM) mitigations that create a sustainable and scalable model for faster business decisions.

When was the last time your organization reviewed its supply chain and its processes?

Buyer Beware of Removing Humans from the Artificial Intelligence Equation

Artificial intelligence, especially learning machines that can adapt to changing input, are seen by many in the computer security industry as the next great hope in challenging cyberthreats.

We recently wrote about the promise and potentially positive impact this type of AI might have when it comes to protecting firms against hacker incursions. AI can offer fast response times. It may detect patterns that allow for better oversight. And sometimes it may take an automation to adequately protect against the automatic attacks sent by hackers.

But as with any technology, an over-reliance on the new may have unintended consequences, and even undermine corporate goals. AI, like other technology, is ultimately a tool — but tools need a human operator.

That’s the gist behind comments from Levi Gundert, Recorded Future’s vice president of intelligence, at a panel session for RiskSec NY 2017.

“Supervised machine learning has a lot of promise, but you still need that paired up with human brains to make [your threat data feed] a truly valuable feed for your organization,” reports SC Media.

Gundert went on to outline that people still need to set parameters for the automation and track efficients.

Gundert isn’t the only one suggesting caution in the form of ensuring people remain engaged in the AI cybersecurity chain.

First, one temptation of technology is to assume that the most recent advances are what a firm needs, even if it’s not actually the best tool for the job.

“In our work with organizations, we have noticed that when a new threat arises, instead of holistically assessing it, organizations often simply request the latest, greatest analytic tool or contract out the work to third-party intelligence providers,” writes Jay McAllister, a senior analyst with Carnegie Mellon University’s Software Engineering Institute.

If a firm does employ the best tech for the job, it’s not foolproof.

“Too often, unsupervised machine learning contributes to an onslaught of false positives and alerts, resulting in alert fatigue and a decrease in attention,” writes Torsten George, the vice president of marketing and product management for software firm RiskSense, in Security Week.

While machines can flag areas of concern faster than a human security employee might catch, it takes a human touch to assess the quality of the information and decide action. The AI might learn from that human input, George notes, but it’s still a vital part of the process. It still takes a leader’s touch to ensure cooperation among departments and staff.

Overwhelmingly, the experts do support employing AI learning machines to track cyber threats. TechCrunch notes that a good program could pare down events to 100 for review, instead of expecting a department to comb through thousands. The hours and weeks saved could prove invaluable.

But as with any advancement, nothing remains foolproof. The key is understanding the holes in your cyber security network, considering which AI tools might help, and plugging those in — with adequate human support.


Can Artificial Intelligence Thwart Cyberattacks?

11888402 – the concept of a thinking human visualization of the process of thinking

When cyberattacks take an average of 99 days to discover, and hackers say they can infiltrate some systems in less than 24 hours, those 98 days could mean the difference between shutting down a crisis before it starts, and scrambling to rebuild from epic loses.

Narrowing that timeframe from attack to detection could help firms head off significant damage, but tracking insidious infiltration can stymie even the most attuned cybersecurity departments.

But what if the computer systems could essentially police themselves?

“In the cyber-world, intelligence has played — up till now — a less prominent role,” Eric Hoh, president for Asia Pacific Japan at FireEye, tells CNBC. “I think that companies need to really pay more attention to knowing your attackers and understanding what valuable information you have that people would want.”

It’s not so far-fetched an idea, considering how many businesses now track big data, as ComputerWorldUK notes. Corporate systems can track customer activity in such detail that retailers can create predictive, targeted marketing, better estimate stock needs, or analyze potential supply chain disruptions. Putting such systems to use for tracking cyberattacks could crunch reams of data much faster than cybersecurity experts having to feed information to software in batches at a time.

To offer an example: Imagine a phishing attack in a shipping department. What if one email account suddenly shows an uptick of a few percentage points in activity. IT experts may notice this eventually, but it’s hard to scour the accounts of thousands of employees, to see something as small as a 4 percent shift in activity, turn attention to that account, and send defenses as needed. It’s almost needle-in-a-haystack activity. But AI security infrastructure might catch that uptick as out of the norm, and turn its attention to that account — before the phishing attack infects the entire company.

Darktrace, founded by University of Cambridge math experts, says its machine learning capabilities mimic the human immune system — like white blood cells, their systems seek out diseased interlopers, and then figure out ways to destroy them.

The UK-based firm, according to CNBC, “uses machine learning capabilities — advanced algorithms that can adapt and learn — and probabilistic mathematics to learn the normal ‘pattern of life’ for every user and device in a network and detect anomalies.”

“Darktrace has identified 30,000 previously unknown threats in over 2,400 networks, including zero-days, insider threats and subtle, stealthy attacks,” the firm’s website says. The City of Las Vegas counts among their clients, according to Business Weekly UK.

As with all automated systems, though, mitigating one set of risks could open doors to another. What if someone with nefarious goals turns the AI system against itself?

So how can firms vet AI/machine learning processes when it comes to cybersecurity?

“We know from experience that attacks will simulate what [information security] vendors are doing,”  cybersecurity analyst Adrian Sanabria explains in ComputerWorld UK. “I wouldn’t be surprised if they’ve already duplicated the industry’s machine learning work, and are working to determine ways to get around it, if they haven’t already.”

Ensuring that any supply chain partners have quality security research and data science teams, ComputerWorld UK notes, is key to gaining confidence. Redundancy, too, is key, as with any part of a reliable supply chain. Machine learning is one of many cyber-risk assessment and protection tools. Understanding all potential weak points, and employing best practices for all potential risks, weaves a blanket of protection that makes it increasingly difficult for accidents, problems or hackers to penetrate.

If cyber attacks are a concern for your organization, contact Interos Solutions today to learn more about how we can help you protect your critical intellectual property.

Time to Integrate NIST Guidelines Into Enterprise Security Is Now

Leaders on both sides of the aisle appear to agree that cybersecurity is, and must continue to be, a key focus of national security planning and risk assessment.

But there’s a split already apparent under the new Trump administration, involving the National Institute of Standards and Technology. NIST isn’t usually mired in partisan politics, but nor is NIST a regulatory agency— and that is becoming the gist of the issue.

On March 1, a Congressional committee approved a measure that would have NIST “evaluate and audit federal agencies’ adoption of the cybersecurity and technology guidelines,” according to The Hill publication.

NIST first published their cybersecurity guidelines in 2014, a project begun at the behest of the president at the time, and have continually updated them ever since. The goal is “to develop a voluntary framework to help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid.”

But the mission was never regulatory. Republicans cited the proposed bill as a way to shake up how cybersecurity issues are currently handled. And the bill appears to align with draft guidelines circulating out of the White House, that call for NIST guidelines to form a framework for evaluating the cybersecurity plans of federal agencies.

But Democrats, and along with cyber experts, note that NIST isn’t a regulatory agency. It’s one thing to publish suggestions and guidelines, but a completely different level of engagement and budget to take on the development of security metrics, plus active oversight of a host of federal agencies. Should that not fall under the Office of Management and Budget or the Department of Homeland Security?

The bill’s requirements ”jibe with some elements of a draft cybersecurity executive order that would mandate that agencies adopt the NIST framework,” notes a story in Nextgov. “It would conflict, however, with NISTs general policy that the framework should be an advisory document… rather than a strict set of rules.”

Additionally, some feel that OMB and Homeland Security already do some of the monitoring laid out in the bill — an unnecessary duplication.

The draft federal guidelines would use NIST frameworks specifically for risk assessment, requiring federal agency heads to use that framework and report back to the OMB within 90 days of the passing of the new requirements. Risk assessment remains the first step toward closing any loopholes or strengthening weak spots. But many agencies have already engaged in some of this work. And just as the NIST framework isn’t meant to be a series of benchmarks, it’s also not meant to be a strict set of metrics against with to measure all government risk. That’s not what it was created for.

We applaud the executive office for making this a leadership issue that agency heads will be required to oversee. Doing so recognizes that cybersecurity and risk in the global supply chain are seen as core agency issues, and not just something that can be left to subordinates. NIST has created a great universal standard.

But we agree that NIST conducting audits turns an advisory agency into a compliance one, shifting their viewpoint away from risk management, where their input is sorely needed, and repositioning NIST as a compliance organization. We need to focus on potential risks and how to function in this new inter-connected world, not offer checklists for agency heads that hackers aren’t about to abide by.

Cybersecurity and supply chain threats demand new ways of thinking about enforcement and risk assessments. Forcing this work into old-school models of assessments, on an agency not equipped or funded for the work, could backfire.

Establishing a framework, and holding agency leadership accountable for management of the risks of their organizations, is a  move in the right direction.

Is Being an Early Adopter Putting You At Risk?

IT risks abound when it comes to risk management, especially when outside vendors get thrown into the mix.

The Strategic Sourceror has identified three trends in terms of IT vendor security: integrating new tech too quickly, issues with prioritizing data, and internal threats.

We have addressed internal threats elsewhere, and we acknowledge bulk data processing is an ongoing challenge, but we remain far more concerned about the first issue: integrating new technology. Problems arising with integrating quickly-changing technology and upgrades is a risk management issue we see repeatedly, especially when it comes to vendor management and onboarding new vendors.

A recent report from MAPI, the Manufacturing Alliance, found that “rapid adoption of sensor technology, smart products, and Internet of Things (IoT) strategies” can also rapidly increase the problems of fast adoption, as can “so-called industry 4.0 digital manufacturing opportunities and increased interconnectivity of the industrial ecosystem, offering bad guys a wider target to hack.”

A McKinsey and Company report estimates that IoT’s international economic impact will hit $11 trillion by 2025.

“Nearly 70 percent of the projected economic value will eventually come from the use of sensor technology and swarm intelligence among B2B users,” McKinsey notes.

Whether it’s employees tapping into their personal technology while onsite, or vendors who are increasingly relying on smart systems to bring their services to market, the fast-changing nature of these types of technology realms can also mean the ability to keep track of all potential security risks requires added levels of attention to detail.

Are vendors applying change management best practices, along with risk management best practices, from every overseas fiber-optic connection to every sensor on a package that crosses as ocean? Are they doing so with every systematic software upgrade or shift in service provider?

Annual reviews don’t cut it anymore, not when changes and additions to networks can increase weekly.

“Products, services and suppliers undergo near constant change,” notes our white paper, “The Case for the Vendor Management Office.” “Products are updated, services change with contract modifications and key members of vendor corporations turnover.”

But that’s just one part of the risk management challenge when it comes to vendors.

“As vendors make deals with their suppliers or undergo mergers, acquisitions and divestitures, the risk profile they bring to your agency changes,” the paper notes.

We’ve found that creating a Vendor Management Office (VMO) to serve as a traffic cop for vetting and managing outside vendors can go a long way in mitigating this risk. A dedicated office can not only vet potential vendors, but keep a close eye on their changes through continuous monitoring, and keep active lines of communication open.

A VMO can vet vendor applications, with a focus on the risk side of supply change management, as well as monitoring any changes with current vendors at every stage of the process. This takes the pressure off the Chief Information Security Officer (CISO), Chief Risk Officer (CRO) or other C-suite offices, and places it in the hands of experts who understand the challenges and can vet, track, update and manage these convoluted systems, as well as their myriad system changes.

Cyber Threat Intelligence, More Than Just Cybersecurity

Secure network with several green spheres and shields as protected nodes and one red hacked connection 3d illustration cybersecurity concept

The response was overwhelming. Of scores of companies surveyed last year that suffered a cybersecurity breach, 80 percent of respondents said that cyber threat intelligence could have prevented or minimized the attack.

The report,  “Importance of Cyber Threat Intelligence to a Strong Security Posture,” covered more than 600 IT professionals in the U.S., and was released in 2015.

“The study highlights the need for highly accurate and timely threat intelligence to help organizations assess the risk of incoming data, reduce the volume of security incidents, and accelerate response to successful attacks,” says a vice president of Webroot, which sponsored the survey.

Cyber threat intelligence, or CTI, remains new and evolving discipline, but one that is increasing in importance when it comes to assessing a supply chain and potential weaknesses.

“Organizations must also understand [the cyber security] risk in the context of their supply chains — whether they rely on suppliers spread across the globe to manufacture products, or whether they use IT services from a cloud provider,” notes a study by Aspen Insurance, in conjunction with the Columbia School of Business.

But what exactly is CTI, and how can it assist a supply chain analysis?

A CTI Definition

This field is still relatively new, and so definitions can still differ by provider.

“Cyber security goes far beyond being an IT issue: business activities, such as new product launches, mergers and acquisitions and market expansion, now have a cyberdimension,” notes a report by EY, a financial risk assessment and advisory company. “We all live and operate in an ecosystem of digitally connected entities, people and data.”

Understanding that ecosystem in a comprehensive manner forms the nexus of CTI, and also the reward for businesses whose leadership understands the strengths and weaknesses of their supply chain – where breaches may be most likely to occur, why, and how to prevent them.

As the security firm RSA notes, “The goal is to better understand the motives, capabilities and objectives of threat actors that might seek to target the organization so that adequate countermeasures could be implemented.”

The goal is enough foreknowledge that when an attack occurs, everyone is prepared to turn it away, or mitigate the damage, from the board room to the IT service desk, no matter where that threat happens across the company supply chain.

CTI Components

CTI is the strategic understanding of where that protection fits into the larger business model, how it works with other defenses, and what to do when it comes under attack, or if it fails, that elevates IT’s actions to fitting in with a more comprehensive CTI analysis.

In one example, an IT department purchases malware protection. That IT company is now part of the supply chain, as is the software it provides. Is one type of malware protection able to protect against enough potential encroachers? Is redundancy, in the form of another malware program, a better bet? Does the program adequately meet the needs of the entire supply chain, or does it cover just one section, and if so, where do the cyber security weaknesses lie outside of that software?

Another way to define what goes into CTI is to consider what Security Week calls the “squishy” parts – the analysis of what can go wrong, where, and when, which can be harder to pin down. That includes things like motives, capabilities, and objectives behind attacks, which means considering internal strengths and weakness throughout a supply chain, and how those strengths and weakness appear across a company’s functionality.

This is why an off-the-shelf CTI program often don’t work , and a detailed, top-down understanding on a business-by-business basis becomes key. The combination of supply chain, IT service and personnel needs doesn’t stay the same from one firm to another, and neither do the threat matrices they face throughout their supply chain.

When the Internet of Things Takes Down the Internet

The Internet tools that slowed some of the world’s largest sites for hours on a recent Friday morning weren’t just server farms or hacked key fobs.

Baby monitors helped take down Twitter.

Security cameras helped halt Amazon.

This nightmare scenario became a reality on October 21 when hackers used the Internet of Things (IoT) in a distributed denial-of-service (DDoS) attack that brought down major sites from PayPal to Spotify. While the attack was described as an Internet security issue, that’s not the whole story. It is a supply chain issue. The attack also represents a Doomsday scenario that security and supply chain experts have been predicting for years. Their focus is not high-level international villains, but low-level embedded technology.

What Happened

Early in the business day on that October Friday, major web sites started shuddering. The problems were quickly attributed to an attack on Dyn, a major Internet connection hub. Dyn monitors and routes Internet traffic. Their systems were overloaded with millions of access requests from IP addresses, so many that Dyn couldn’t handle the traffic in what’s known as a DDoS attack. Hackers had gained access to IP addresses that they then directed toward Dyn, through baby cameras and surveillance monitors — basically turning the Internet of Things against the Internet.

As Dyn’s leadership notes, businesses that had instituted network redundancy faired better against the attacks, as they could shift their access points to other services. That kind of spreading the wealth is actually encouraged by Dyn, as Dyn’s Chief Strategy Officer Kyle York notes in statements made after the attack. His firm supplies a service, and good supply chain practice for critical parts of a chain is to program redundancy so if one service falters, business can still continue.

“I don’t think you can ever be safe enough or redundant enough,”  he says, in Supply Train 24/7.

But that’s not the only supply chain issue at play.

Hardware, Software, Oops

This kind of attack relies on gaining access to the hardware and the software behind it. Vulnerabilities can arise when parts or software handled by an outside supplier aren’t tested for quality assurance, functionality and security. There are hundreds of parts that are now built into cars, for example, that make them smart, but also make them vulnerable to attack and exploitation.

Scott Montgomery, vice president and chief technical strategist in Intel’s security division, notes that companies inherit every problem in their supply chain, according to The New Stack, which covered a panel in San Francisco where he spoke.

And the problem isn’t just a faulty piece of hardware.

“If you think just because your software is on a chip, that they can’t get it off of there, you are mistaken,” says Billy Rios, a security expert who has worked with the Department of Defense, speaking at the same panel. “If you think that someone will never be able to understand your custom vertical, you are mistaken. If you think no one will ever find that hidden account you have in there to do debugging or to access to certain features that you don’t want your customers to get access to, you are certainly mistaken.”

Some security experts have been warning that lax oversight for parts in things that connect to the Internet pose a serious security risk, some of them saying it’s only a matter of time until a major hack similar to the one seen in October.

“Information security people ‘have been screaming bloody murder about this for years’,” reports the San Francisco Chronicle.

Take this 2011 example, reported in 2014 by the Heritage think tank:

“In October 2011, two people were convicted of selling as many as 59,000 counterfeit circuits from China to the U.S. military, defense contractors, and others for use in U.S. warships, airplanes, missiles, and missile defense systems. Not only were these cheap fakes, but these chips potentially contained serious vulnerabilities that could have disabled, impaired, or stolen information from these important systems.”

For businesses in the IoT market, rushing Internet-accessible products to market sometimes trumps careful vetting of all components in the supply chain. As one expert notes in the Washington Post, this DNS attack should be a “wake up call” to suppliers who aren’t vigilant about the security of their components.

Because no matter their focus, everyone in the security community agrees that while the volume of things used in this recent attack is unusual, it’s not going to be the last.

OPM’s Cyberattack and Lessons Learned

binary-hacker_mdWhat does it say about government agencies if the office in charge of handling information for federal employees suffers a hack deep enough to compromise the private information of more than 4 million people?

That’s the question Congress, as well as the leadership of the Office of Personnel Management (OPM), grappled with in the wake of a data breach that reached back to 2012.

A report released Sept. 7 by the Republican-led House Oversight and Government Reform Committee took the OPM leadership to task for failing to adequately protect their systems. The report was based on a year-long investigation into the breach, according to Federal News Radio.

This being Washington, there’s some partisanship at play here, but ultimately the public discussion of the attack and how OPM plans to ensure this doesn’t happen again has lessons for businesses and leaders beyond the Beltway.

What Happened

From the report:

“In what appears to be a coordinated campaign to collect information on government employees, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals,” including fingerprint data from 5.6 million people.

On March 20, 2014, the first alert came — someone was pulling OPM data from deep inside the network, Krebs on Security explains. OPM leadership engaged in a monitoring strategy to learn more about the hacker. But, according to the report, this strategy assumed they had correctly identified the source of the problem. They hadn’t.

In May of that year, someone posing as an employee of an OPM contractor hired to do background research used legitimate credentials to log into the OPM system and install malware that opened a backdoor into the OPM network.

OPM found the first hacker, and thought they had mitigated the threat. But they didn’t find the second one until about a year later. Investigations show the first access may have come as early as 2012, according to the House committee.

By the time both threats were discovered, personnel records, including background investigations for security clearance and fingerprint data, had been swiped.

In just one example of the impact of this attack, the Central Intelligence Agency recalled officers from Beijing for fear the attack, tied back to the Chinese, might expose the identity of spies, according to the Washington Post.

Simple steps

A measure as simple as two-factor authentication could have mitigated the attack, the Congressional panel found, but OPM didn’t adopt that requirement for remote logins until 2015. And that was just one suggestion. The Congressional report also called for better vetting of agency personnel and the CIO.

In their original response to the breach, back in 2015, OPM leadership outlined the steps taken to ensure this doesn’t happen again. And therein lies a lesson for every business. The OPM laid out 23 steps that they are currently implementing.

Among the suggestions:

  • Enhance oversight of outside contractors, with detailed documentation for doing so.
  • Limit the number of privileged users and how long they can log into the system, and track all of their system activity
  • Hire a dedicated IT portfolio manager to handle all “security and performance requirements”
  • Cybersecurity training for every employee, mandated
  • Centralize cybersecurity management in the CIO’s office

While many of us may not draw the attention of foreign cyber-espionage hackers, the measures, and the warnings, are good practice for everyone worried about cybersecurity — which should be all of us.

Is Child Labor Lurking in Your Supply Chain?

Congress has recently banned the import of any products linked to child or forced labor with the passage of the the Trade Facilitation and Trade Enforcement Act of 2015. Many countries do not have laws that protect workers from harsh working conditions like the United States, and when companies take advantage of this, it creates an unfair trade advantage. The U.S. Department of Labor maintains a list of countries that manufacture goods with child or forced labor. According to Kaitlyn McAvoy at SpendMatters:

The law amends previous legislation that allowed any product into the country regardless of how it was produced if it met the “consumptive demand” rule, which is when demand is high but supply is insufficient. The Tariff Act of 1930 allowed the Customs and Border Protection Agency [CBP] to seize imports of goods suspected to be produced by forced labor. However, according to the Associated Press, the agency last used that authority just 39 times due to consumptive demand. Section 910 of the new trade act closes that loophole.

Past Supply Chain Failures

There have been quite a few high profile manufacturers who have been found to have forced or child labor in their supply chain. However, up until now, companies mostly faced bad press when it occurred, rather than tangible penalties. However, It is expected with this elimination of the “consumptive demand” rule, that CBP will be enforcing the law more vigilantly and pursuing stiffer penalties for violations.

Famed candy maker Nestlé signed the Harkin-Engel protocol in 2001, to work to end child labor in its cocoa production supply chain. The voluntary agreement had little teeth, and in 2005, a human rights attorney sued Nestlé, Cargill and Archer Daniels Midland for the use of forced child labor. A decade later, a report commissioned by Nestlé from the Fair Labor Association found continued use of child labor on farms used by Nestle on the Ivory Coast. Additionally, the company has found that its suppliers in Thailand also use forced labor.

Apple, Microsoft and Samsung
Cobalt is mined with child labor in the Democratic Republic of Congo (DRC) and is a critical material in the manufacture of electronic components used in products made by Apple, Microsoft and Samsung. A recent Amnesty International report identified that while these companies have policies in place that prohibit the use of child and forced labor, these companies are not fully aware if products further down their supply chain are or are not compliant.

Copyright : Paul Prescott

Walmart and Wrangler
Probably one of the most well-known child labor issues relates to clothing production. In a CBS News investigation in 2013 following several tragic workplace disasters, facilities in Bangladesh that supply Walmart and Wrangler were found to have unsafe working conditions and child labor. Both companies worked to resolve the issue upon discovery and would ban that particular supplier in question. However, the issue could recur as factories may trade manufacturing orders among each other without notifying the end customer.

How Can You Protect Yourself?

Companies seeking to protect their critical information and avoid data breaches must be aware of the cybersecurity of all of their suppliers along their supply chain. The same will be true for companies who need to protect themselves from violations of the new trade law. Thorough supply chain mapping of both direct and indirect suppliers will be important to ensuring that companies are not unintentionally using a supplier that sells their manufacturing contract to the neighbor across the street who isn’t following the rules, or using a supplier that’s not really checking the age of the workers that are harvesting its cocoa.

Once upon a time ignorance could be used as an excuse, but in this day of information and 24/7 news coverage, taking the time and making an investment to do a little proactive investigation can save your company money and brand reputation in the long run.

Securing the Internet of Things (IoT)


We live in an increasingly connected world. More devices–in more ways that we could have imagined even a few years ago–connect to the Internet. Some 5.5 million new devices are expected to go online daily in 2016, 30 percent more than 2015. These gadgets include not only smartphones, but fitness trackers, keyless door locks, urban traffic monitors, washing machines, and cars.

This growing internet connectivity also presents more opportunities for cybersecurity breaches. Just as our world moves online, so do risks. A hacker in possession of a stranger’s personal smartphone could steal one person’s bank information — and also commit industrial espionage if that small phone also links to a larger workplace network. One entry into a cloud server could snag information from thousands of consumers — or offices.

Workplace Security

Every office these days likely has at least one employee who wears a Fitbit or some other tracker that sends location and other information to a network. Even if you password protect your building network, your employees might use their passwords to login via their personal smartphones. These are all machines that your business is not protecting, nor protecting its network from.

One recent study of IT professionals found that 73 percent of them expect to suffer a data breach tied to an employee’s connected device, and almost as many say the manufacturers of these devices don’t offer enough security protection. Does your company have a smartphone access policy? Do you know who is connecting? If you don’t, you could be opening yourself to major security breaches. Your employees could also open up opportunities for theft of your proprietary information from their phone.

Some firms increase their vulnerability by having employees use personal phones for work or allow work machines to become essentially the employee’s personal devices. This also blurs lines about what information gets locked down, and what could unintentionally–or intentionally–come under cyberattack.

Even light bulbs may come into play. Home-based services link smart bulbs to phones and laptops for control–dim the lights for living room movie night. Or, in the case of an office, control all utilities for cost-effectiveness. Building security can go online, instead of utilizing a traditional closed circuit system. Experts expect this workplace-based IoT market to grow rapidly this year.

Manufacturing firms have machines connected to the Internet that can signal staff about mechanical problems that could impact production. But how safe is the hardware and the software that connects those machines to a business network? Who are the installation techs who have access to your network, but possibly have not undergone as stringent a background check as your employees? Risk comes from human, hardware and software elements.

“Last year, a hacker took control of the thermostats, lights, TVs and window blinds in all 250-plus rooms of a hotel in Shenzhen, China, after discovering a vulnerability in the hotel’s ‘butler’ mobile application that allows guests to control these settings with their smartphones and tablets,” as Dell’s Power More publication notes.

Whether a hacker breaches a server by a company-owned desktop or via an employee smartphone doesn’t matter — what matters is the stolen information. This is bad for business, and it could also be illegal. Businesses that don’t take precautions to lock down their networks and intellectual property could be vulnerable to legal action. Companies with overseas ties are also subject to strict laws that protect data from abroad even if that information merely passes through a foreign server.

Banning IoT devices risks angering employees and even worse, letting your business fall behind the times on technology. However, you can take steps to assess the risk your business faces from these devices, create company-wide usage policies, and educate everyone from the boardroom to the janitors, as well as outside vendors who might need access to your network.

This takes time and effort, of course. But better a little precaution now, rather than a multi-million dollar loss and lawsuits later.