Blindsided by the IoT
But according to Dr. James Burrell, deputy assistant director at the FBI, they are indeed still emerging. Burrell told an audience at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference that, “what really matters is the rate of adoption and the rate of adaption within organizations. That impacts the risk calculus.”
And he said while everybody is very much aware of the IoT, they are likely not ready, at the adoption or adaption level, for the Internet of Everything (IoE).
Burrell, one of seven speakers at the one-day event, added that this is not just coming from a government official. He cited John Chambers, former CEO of Cisco, who has said the IoE, “will be more impactful in the next five to 10 years than the entire Internet has been to date.”
[ ALSO ON CSO: IoT dangers are real and widespread ]
Technology brings opportunities with it, of course, he said, but the “amazing rate” of advancement in online technology makes it difficult for organizations, “to align the risks and opportunities of technology.”
To do so, he said, will require, “a paradigm shift in thinking.” And that shift has a long way to go to reach critical mass.
The world of designing apps and software technology is, “almost like 20 years ago, with people doing it in their basements and garages,” he said.
“And security is not their No. 1 concern – the demands of consumers is. You can say you won’t buy what they’re making, but your employees and your customers are. You’re going to be forced to deal with it.”
Burrell said when smartphones and BYOD became common a decade ago, businesses were quick to see the opportunities it offered, “but they didn’t understand the security of the technology. And that’s nothing compared to what the IoT is going to do to you if you’re not prepared.”
The billions of devices that make up the IoT – expected to reach 21 billion or more within the next four years, “are not standardized, like mobile devices,” he said. “And the issue is not that somebody knows the temperature of your (smart) refrigerator. It’s that it is a vector – a way to get into your network.”
And he said the price of tools for cyber criminals keeps getting cheaper. “They can get open-source software to override your door locks for zero – nothing,” he said.
The cloud is equally transformative and risky. “I have to convince everyone that the cloud is not just a way to do things faster,” he said. “It’s a game changer. You’ll be able to do things you’ve never been able to do before, but unauthorized cloud use by employees, especially in the storage arena, is a huge risk to your organization.”
Added to that is a lack of fundamental security awareness, even at the IT level, within organizations. He referred to one, unnamed, large company that he said, “had all the best tools, but had them on default configurations, so they got breached.”
Burrell offered a number of recommendations to keep current with risk management. One is to keep current with academic research. “There are thousands of articles,” he said. “It’s worth having one of your people look at the research for finding risk.
Another is to use NICE (National Initiative for Cybersecurity Education) framework for things like improving attack detection in cloud.
Yet another is to use his agency – the FBI – for malware analysis. “We have an auto-analysis and repository system, which can get you a response in two minutes,” he said. “We get trending data that goes on our classified side.
“If you use us, you might not have to hire forensics people, which could cost you $60,000 or more,” he said.
The key, he said, is to try to maintain some control over hardware and software, and then vet the apps used on it. “That’s the way to a more secure environment,” he said.