by TechTV Network
It’s hard to beat being able to tell your sound system to select and play a particular song, or order something online using just your voice, or have your refrigerator tell you when you’re running short of food, or have your office printer diagnose itself and demand service automatically from the vendor.
Features like this are driving the demand for smart offices, smart homes, smart appliances, smart buildings, and smart cities — all connected through the Internet of Things (IoT).
The IoT is the network of physical objects equipped with sensors, software and other technologies for exchanging data with other devices and systems over the Internet. These include embedded systems, wireless sensor networks, control systems, home and building automation systems, and smart home devices, as well as smartphones and smart speakers.
There were 7.6 billion active IoT devices worldwide at the end of 2019 and there will be 24.1 billion in 2030, according to digital transformation research firm Transforma Insights.
Connected Teddy Bears – Wait, What?
Surely spurred by the work-from-home necessities of 2020, people have connected a multitude of non-business devices to their corporate networks. Some are predictable and others might be surprising. For example, teddy bears and other toys, sports equipment such as exercise machines, gaming devices and connected cars, according to global cybersecurity firm Palo Alto Networks’ 2020 IoT Security Report.
The increasing number and variety of devices hooked up to IoT networks is making it progressively difficult to implement cybersecurity, because every device is a potential weak point.
For example, it’s possible to hack large numbers of connected cars to shut down cities by causing gridlock.
Smart buildings and even cities can be hacked to compromise automated systems that control HVAC systems, fire alarms and other critical infrastructure.
Digital intruders have reportedly accessed homes through smart thermostats to terrorize families by turning up the heat remotely; and then speaking to the residents through the cameras connected to the Internet.
The effects of hacking will likely be most severe in the healthcare industry, where equipment failure or hijacking will endanger lives.
“Connected medical devices — from WiFi enabled infusion pumps to smart MRI machines — increase the attack surface of devices sharing information and create security concerns including privacy risks and potential violation of privacy regulations,” wrote Anastasios Arampatzis, an author for security vendor Tripwire.
Holding CEOs’ Feet to the Fire
So, who will be responsible for cybersecurity in an IoT network? The vendors of individual appliances or equipment? Whoever owns or runs the network? The company or organization using the IoT network?
Global research and advisory firm Gartner predicts that, by 2024, 75 percent of CEOs will be held personally responsible for attacks on what Gartner calls cyber-physical systems (CPSs).
Gartner defines CPSs as “systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”
These systems “underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments.”
OT consists of hardware and software that detects or causes a change in industrial equipment, assets, processes and events through direct monitoring and/or control.
In other words, 75 percent of CEOs could be held responsible for IoT security failures by 2024.
Why CEOs? Because regulators and governments will drastically increase the rules and regulations governing CPSs in response to an increase in serious incidents resulting from failure to secure CPSs, Gartner research VP Katell Thielemann wrote. “Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
Holding CEOs responsible “is a definite possibility and is consistent with the way that CEOs are held accountable for the accuracy and legitimacy of their financial attestations under the Sarbanes-Oxley Act of 2002,” Perry Carpenter, Chief Evangelist and Strategy Officer at security awareness training said.
The Sarbanes-Oxley Act was created to crack down on corporate fraud.
The National Association of Corporate Directors (NACD) “realizes that cybersecurity and, by extension, cyber-safety should be an issue that even rises to the level of the Board of Directors,” Carpenter said. “It has issued guidance for how to do so.”
Companies can buy cyber insurance, but cyber-insurance policies “are notorious for not paying out if the company does not meet a high bar of security excellence,” Carpenter remarked.
Further, “regulatory bodies won’t be in a hurry to offer easy outs for CEOs and companies who may be demonstrably negligent.”