This is the first in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.
Nobody wants to be in the headlines for this.
Preparing the workforce of a traditional product manufacturer that is facing the challenge of having Internet-connected products for the first time is fundamentally different than securing IT environments and data. It starts with instilling in employees an awareness of the importance and impact of information security and how especially critical it is to companies that make and/or sell connected consumer products. Every device that is connected increases the potential for a privacy or security problem, from hackers stealing personally identifiable information to the collection and misuse of private data. And though consumers may say they are concerned about risks to their data and security, they are not willing to take any overt responsibility to help secure their connected devices. Therefore, this responsibility falls to the brands associated, which means retailers as well as manufacturers. And it all starts with the employees at these companies, what procedures they follow, and what policies they adhere to.
The good news is that companies can find a growing body of established industry standards and great resources to help with developing policies and procedures. These include: the National Institute of Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” the Department of Homeland Security (DHS) “Strategic Principles for Securing the Internet of Things,” and the Cloud Security Alliance (CSA), an organization that is a great source of information, standards, best practices and education for security assurance within Cloud Computing. Here are just a few of the best practices we have amassed in our HR processes and training at Arrayent:
- Develop and document employee policies and procedures that PROVE support for your business processes and technology solutions. What are your organization’s policies for information asset management (e.g. data, devices, systems, facilities) and their security? How about for company-owned or managed user end-point devices (e.g. desktop & laptop computers, and mobile devices) and IT infrastructure network and systems components? What are your company policies for usage of employee personal mobile devices and third-party applications that may have access to corporate resources? If you were going through a security audit conducted by an outside firm, could you prove all of these policies and procedures were in place? Would your employees pass an audit? Working with your CSO, CIO or CISO—or by tasking your Chief Architect, Director of Operations and VP of Engineering—your organization should establish a set of principles and practices that all employees are aware of, have been trained on, and could demonstrate compliance with.
Stolen data is the new gold rush and no corner of business seems to be immune.
- Recognize that EVERYONE in your organization plays a role and has responsibilities in keeping information secure.
Your organization should have user access policies and procedures established ensuring appropriate identity, entitlement, and access management for all employees—from the CEO to the janitor. All personnel should be aware of their roles and responsibilities for maintaining a safe and secure workplace for people, data, and access to information systems. Further, your employee and contractor agreements should stipulate established information governance and security policies that are enforced religiously across the organization. This change is cultural and can be difficult to inculcate within an organization. It may help to have this information be reinforced by the company CEO and to tie its importance to helping keep consumer information safe and the company’s name out of the headlines.
- Conduct onboarding and initial information security training BEFORE allowing employees access to your systems. Prior to providing employees with access to any corporate facilities, equipment, or other assets you must provide security awareness training to impress the importance of security as a company cultural norm. Train employees to be aware of their roles and responsibilities in maintaining a safe and secure data environment alongside their other HR training. The training should start with their physical work environment (e.g. building access, unattended workspaces, etc.) and should cover all access controls: from passwords, to authentication, encryption, data backup, BYOD equipment usage, and all data asset management infrastructure and policies. Security awareness training also should be mandatory for all contractors and third-party users who have access to your company systems and data, appropriate for their job function with your company.
Only a few years ago, these companies were front page news.
- Commit to and INVEST in regular updates on security procedures, processes and policies.
You can determine what ‘regular’ updates look like and timing appropriate to the organization and jobs levels. Because the IoT landscape and cybersecurity threats are dynamic, this requires focus and vigilance. We have found with our engineering teams that twice-yearly awareness training is particularly helpful in keeping security top of mind. During our sessions, we also aim to tackle particular topics and conduct exercises around them.
One example is a workshop we conducted on phishing attacks. As a post-workshop test, we sent emails that looked as though they came from real employee email addresses that contained links to a phishing scam. We then used a third-party phishing assessment tool, DUOsecurity.com, that provided a report on just how many, and how far, employees went during this ‘safe’ phishing test before they got wise to the scam. The tool tracked whether they clicked a link, provided their user name and password, etc. Afterwards, another training was held with all-hands to discuss the results.
Another example was a workshop we conducted about ransomware—quite timely given this week’s news of the global WannaCry ransomware attacks that hit over 230,000 PCs running the Windows OS in 150 countries. Bolstering employee skills around security concerns helps your company, your customers, and the skillsets of employees.
As we’ve noted in previous writings on the topic of security, many consumer product companies—particularly those operating outside of the tech sector—will have skillset gaps when it comes to areas like security, big data, and network infrastructure. That’s why they rely on a trusted and proven partner like Arrayent to help them get their connected product strategy, deployments, and ongoing management right. To learn more about how to best evaluate platform providers for IoT security with connected consumer products, contact us for a chat.
Stay tuned for the next installment in this series coming next Thursday.