Q&A: Managing risk arising from the ‘Internet of Things’
April 2015 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
FW moderates a discussion on managing fraud and bribery risks in the healthcare sector between Tim Best at EY, Cheryl Soderstrom at HP Enterprise Services, Stephen Mills at IBM, and David Navetta at Norton Rose Fulbright US LLP.
FW: What are the fundamental benefits purported by the ‘Internet of Things’ (IOT)? In your opinion, do these benefits outweigh the technological complexities, challenges and risks involved?
Soderstrom: Essentially, the IOT is about allowing everyday objects to connect virtually to create a deeper value, a deeper performance, of people, processes and machines. It has consumer, business and industrial implications, all with great potential value and equally great potential risk. Benefits include smarter homes and buildings, better health, power reduction, improved crisis management and sometimes even better public safety. Risks include misunderstood threats to privacy and physical security, unwanted, unwarranted surveillance, new attack vectors with major ripple effects, and data that never ‘shuts up’. As in most innovations, the IOT market is flooded with tools that purport to create benefits, most of which discount or ignore the associated risks, especially to personal privacy or even business liability. Like other risks, we must avoid, accept, mitigate or transfer risks, and with IOT ecosystems we see that people have very little insight into the risk they are carrying, and therefore ‘accepting’ by default.
Navetta: The IOT will inevitably see wide adoption, as consumers enjoy the increased insight and controllability within burgeoning industries like home automation and health monitoring. The interconnectivity of IOT will allow users to migrate monitoring and control over a vast body of devices encompassing nearly every aspect of their lives. Along the same lines, companies can utilise data on the users to improve product usability and reliability, and for marketing purposes. Companies will also use IOT for their own internal purposes to improve operations and enhance their efficiencies. Of course, like any disruptive technology there will be challenges, including data security and privacy concerns. Predicting the arch of IOT in terms of costs and benefits is difficult – no less difficult than one attempting to predict how the internet would evolve in the 1980s.
Best: There are numerous benefits, including convenience, access to real-time information, interoperability, seamless sharing of information, automation and cost savings over offline or traditional connection points. The challenges and risks arise from the huge attack surface as well as the current lack of consistent or aligned standards. The sheer complexity of the networks creates opportunities to exploit and makes it difficult to protect; a single device within the network is only as secure as the network in which it resides and interacts with. The IOT is a significant innovation that will reap innumerable benefits for businesses and consumers, so organisations are going to have to look at how they can make it safe.
Mills: Taking a specific example, in insurance the IOT could refer to a number of new innovative products. This includes smarter motor, home and health insurance policies. These new products are based upon wearables, mobiles or the IOT. Where are the benefits? The benefits of moving to smarter products are there for both the insurer and the consumer. For the insurer, they will be able to be clear on the risk that the insured party has and be able to manage that risk better, based on actual data rather than a risk segment. For the consumer they can have greater transparency on how their insurance premium is set and how they can reduce the premium, for example, through improved driving. However there are complexities involved. Introducing data driven products will require a change to how insurers collect, store and maintain data, but more importantly it will require a change to their business processes, such as how their policies are priced based on the actual data.
FW: Samsung’s chief executive, Boo Keun Yoon, recently warned that tech firms need to collaborate more if the IOT is to succeed. As the framework develops, what risks might surface if the process is not handled according to universally agreed principles and processes?
Navetta: As organisations race to market with respect to IOT, the emphasis may be on establishing market share or the dominant ‘killer app’ for the IOT. There are two risks, one business and one on the security and privacy side. From the business perspective the failure to agree on standards may undermine the interoperability of devices connected to the broader network and to other devices. We have seen this story with practically every major consumer-related technological advance, going back to VHS vs. Betamax. That said, the market typically picks its winners and those winners normally provide uniformity and consistency between the various components of the ecosystem. It just takes more time for this to happen. On the security and privacy side, players rushing to market, especially start-ups without significant pools of resources, may not bake privacy and security into their offerings. Without a common set of principles or standards for security and privacy, IOT players may be sailing without a rudder. In fact, the US Federal Trade Commission recently issued an IOT report advocating privacy-by-design and partnering with third-party vendors to incorporate universal security best practices. Failing to get in front of the security risks could result in data breaches, product liability lawsuits and regulatory investigations, as well as unhappy customers, or worse, customers hesitant to adopt IOT because of privacy and security fears.
Mills: I think Boo Keun has a very valid point – there is a real risk that innovation continues at a pace and standards and approaches aren’t considered until it is too late. Taking telematics as an example, there are currently no data standards between insurers. This means that some insurers can get a competitive advantage by being more innovative with data. However, it also has a downside for the consumer who may want to switch insurer at the end of the policy term but the new insurer may not support the box in their car or they cannot get the data record from their previous insurer. For products such as telematics to go mainstream, issues such as data standards must be resolved, however not to the extent that they suffocate the innovation that we are currently seeing in the market. There is a fine line between new ‘open’ architectures and overregulated and lock-down solutions.
Best: The lack of standards will mean that cyber security is addressed on a case-by-case basis and hard coded into the end-point device. This is expensive for the manufacturers as it forces minimal reuse. A holistic approach covering people, process and technology should be applied to solving the cyber risks of IOT.
Soderstrom: Trust is the primary concern within the IOT. If all devices natively trust each other, and consequently share data, then how can we know when a device is lying? Of course, there is value to society for certain sets of connected devices to create fluid and meaningful experiences. But without a capability by which trust can be established, and even configured, we are yielding control to the unknown. As an industry, we need to come to terms with professional and ethical shared control of this IOT. To get the IOT literally to ‘work right’ requires agreements on a universal open-source model for connected devices that addresses the proprietary endpoint wireless infrastructures of today, with open standards for interface protocols, software, firmware, systems on chips, and hardware – including security standards. This will give rise to an open programming community employing useful development tool chains and software objects. The end goal is real-time mechanisms to easily control or configure ‘IOT experiences’ at risk levels appropriate to the user and circumstances.
FW: What long-term legal and regulatory risks might arise in connection with the IOT? Is there a chance companies could embrace these technological advancements without properly considering the potential legal risks for their business?
Best: Some key legal risks would arise in the area of privacy. Specifically, privacy concerns related to ensuring that the use of any consumer information captured across the IOT is solely in line with the purpose and definitions of agreed use when it was initially collected.
Soderstrom: Rather than manufacturer or service provider control, regulation may actually be more beneficial for community control and the policing of IOT ecosystems. Regulation will help to enforce security standards and protections across the sector. Our recent security research on the 10 most common IOT device types, or services, found that 90 percent of providers collected at least some personal information and 70 percent of providers used unencrypted communications services. This equates to provider-supplied negligence free with the service. Another emerging concern from a legal perspective is the privacy breach potential of brontobytes of data that will be collected, aggregated, transmitted, stored and analysed. Even with strong security standards and controls, however, cyber security defences fail, and in the IOT these failures could compromise public safety and privacy. As devices and services become more ‘joined up’ any consequential liability will include third party – or nth party – implications.
Mills: There is massive risk to privacy and security if connected devices aren’t managed or secured appropriately. Gartner predicted that 4.9 billion ‘connected things’ will be in use this year, a 30 percent rise on 2014. However, we should embrace the fact that we now live in a connected world that enhances our experiences and allows us to be up to date on pretty much anything we need to be. These connected devices all leave an exhaust trail of data, whether it be location, application usage, browser history, driving style or home temperature preference. It is important that this level of innovation continues. However, the producers of the devices and providers of the applications should ensure they are on top of the privacy and security aspects of these devices. Financial services organisations that are looking at new smartwatch applications or smarter home products, which are highly regulated industries, know what they can and cannot do with consumer data. They are already considering security and privacy as part of product development. There has been concern among consumers for a while in the telematics space around the usage of the data that gets generated by devices or applications. People need to be reassured that organisations aren’t going to re-sell that data to other organisations for marketing purposes. But consumers are also concerned that the data could get passed onto the police for retrospective action against speeding offences, for example.
Navetta: We have already started to see the legal ramifications of large, interconnected platforms of devices. For example, the FTC pursued IP camera company TRENDNet when it was discovered that hackers could take advantages of security flaws to control hundreds of private camera feeds. Likewise, security experts have demonstrated the product liability risks of connecting health devices like insulin pumps and pacemakers when an expert took control and modified dosage delivery of those devices. Indeed, in another demonstration, security experts hacked into a new automobile to disable its brakes in transit. With third-party apps being able to monitor and control IOT devices, security holes are likely to follow, especially where security patches issued by the manufacturer are not immediately incorporated by the third-party app. In addition, IOT technologies may become snared in a number of regulatory situations, such as HIPAA where medical information is lost over IOT platforms, EEOC where employees are discriminated against based on health data relayed to the employer, and COPPA where child information is inadvertently published by IOT devices.
FW: The greater connectivity proposed by the IOT is likely to bring greater risks for companies, including an increased threat of cyber attacks and the possibility of physical damage from compromised objects. How extensive and robust do IT systems and controls need to be to meet security concerns?
Soderstrom:. The IT systems and controls will be expected to do two things. First, they must allow configuration to regulate the domain of trust for any ‘thing’ or string of things. Second, they must be ‘ruggedised’ to thwart or mitigate direct cyber and physical manipulation or destruction. To do this, IOT devices must have supplier-based upgrade paths, which provide updates and patches to fix vulnerabilities and defend against exploits in a timely manner. But let’s not forget that the real IOT is a ‘system’ made up of vast numbers of people, choices, forking service streams, linking and unlinking of objects, and ever-changing technology. So the robustness we require is more complex and harder to accomplish than what we’re used to from a governance perspective. As we aggregate objects, sensors, devices, data and networks, we are also aggregating adversaries that will specialise in new forms of attacks, and work collaboratively against us.
Best: Organisations need to address cyber security concerns by securing the network in which the IOT resides. The starting point should be an IOT cyber maturity assessment covering people, process and technology and not focused solely on securing the end-point technology. An IOT device should be given an identity and treated like an individual within an organisation in terms of authentication and authorisation. Networks should be monitored for suspicious activity and the organisation should have robust incident response capabilities.
Navetta: The FTC recommends a number of security best practices. Companies should implement established security access controls into the consumer device, build in redundancy with multiple layers of authentication protocols, and plan recognised software support expiration dates into the device. They should also minimise the data acquired and retained, de-identify large data sets to mitigate privacy violations in the event of a breach, and give consumers notice of acquired data, and a choice to opt-out where practical. Companies should strive to implement appropriate security measures taking into account the specific vulnerabilities and risk posed by IOT, or a particular application of IOT.
FW: What particular challenges are posed by the Bring Your Own Device (BYOD) trend? How should companies manage this issue with some appreciation for future trends?
Mills: BYOD is another opportunity for a win-win for organisations and consumers. For example, it may be possible to bring your own laptop to work as long as long as staff comply with certain standards for security and data, so that confidential information is not placed at risk should the laptop be lost or stolen. This means that consumers can have the choice of device rather than being restricted by device. However, it also means that consumers may need to pay for the device, which can prove to be expensive – but there is the choice. For organisations, it can be a double-edged sword. They benefit from lower costs for hardware but they need to be able to manage a variety of devices and ensure that the right security and data controls are in place. If you look at mobile platforms, you could, for example, have a mobile device management platform that is agnostic of device and ensure that it maintains the right profiles and applications on the mobile or tablet devices.
Soderstrom: Like other kinds of security, a BYOD policy becomes a risk management game at the device, data and software levels. The real issue with BYOD is the employee’s versus the company’s inherent ‘ownership’ of the platform. Immediately, privacy concerns come into play. Both the employee and company must now respect the other’s rights. Both can contribute connections, applications and data, but the owner retains the right to privacy on all they contribute outside the corporate context. In old corporate-supplied form factors – laptops and desktops – companies often had a ‘limited use’ policy such that employees could use them for certain personal reasons, like sending an email. Those clauses are now being revoked for one major purpose: legal discovery. Companies don’t want to have to finesse ‘search and seizure’ legalities. By definition, BYOD exacerbates this problem.
Navetta: With BYOD, and soon in the future with respect to IOT, organisations leverage personal devices owned by their employees. BYOD raises security concerns because the edge of the organisation’s network has been extended beyond its internal network. Moreover, companies will often lack full control over an employee’s device, and may be reliant on the employee to secure their own device. Privacy is also an issue to the extent that company data and personal information are commingled on a personal device. To the extent an organisation is monitoring the usage of a particular device or needs to access data on the device, very personal information may be exposed. Finally, BYOD poses challenges related to investigations and data control. For example, without control or ownership of a device an organisation may not be able to conduct a proper investigation in the wake of a security breach involving the personal device. Moreover, especially in cases where the employee may be at fault or under investigation, employees may not be willing to even provide their devices to their employers.
Best: BYOD should be embraced, but users should be forced to use an approved ‘container’ for company email and documents and not be permitted to use personal services for company use.
FW: How will the adoption of cloud computing and big data analytics assist in the development of IOT technology, and in managing the related risks?
Best: The cloud will allow for the sharing and backup of information between different IOT devices, and would need to be encrypted and held securely. Big data analytics will help organisations extract value from the data collected from IOT networks.
Navetta: Roughly 90 percent of all data stored has been produced in the last two years. IOT promises an exponential explosion in data acquisition and retention. Data aggregators and brokers face a new host of issues, and indeed they have already been put on notice by the FTC for violating the Fair Credit Reporting Act after failing to implement reasonable procedures to screen prospective subscribers to their data repositories. Cloud computing offers security benefits, and also risks. It allows IOT devices to push private information logs off a low-security device to a higher-security cloud. At the same time, however, as hundreds of devices begin communicating with clouds, data transmitted presents attractive targets for hackers.
Mills: Here you have a collision of three disruptive forces – big data, IOT and cloud. The challenge for organisations is how to harness them all but at the right cost point. We expect that we will continue to see organisations adopting a cloud approach to big data in order to store the increased volume of data. A cloud based big data environment will also provide organisations with the flexibility to test and trial data analysis, maybe to support product pricing or brand analysis without the large capital expenditure we have seen in the past. The cloud and big data can join together to assist organisations in storing and analysing this data. Organisations are provided with a platform to take data from connected devices or a social media feed and analyse the data without having to invest in a new platform to do so. Whilst all three markets continue to mature at pace, we think we will see the trend of cloud based analytical solutions becoming more commonplace in the next year or two as organisations become more comfortable with cloud based solutions.
Soderstrom: The cloud computing marketplace will converge on standards and industry certifications for cloud risk assessments. Similar to the US government’s Federal Risk and Authorisation Management Program (FedRAMP), the private sector needs a “standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services”. External certifications will provide potential customers with a baseline understanding of the cloud provider’s security posture and continuous monitoring practices. In the IOT ecosystem of ecosystems, large-scale analytics will yield insights and trends regarding IOT operations, from ecosystems down to devices. Such data-driven analytics will provide trend analysis and even alerting on risks being introduced into ‘the system’ in a way that could produce near real-time operational adjustments. Open standards and international partnerships will develop around IOT privacy and security, as well as IOT software and device health. Massive scale analytics will also provide insights into new markets, business models and services to deliver against as yet unseen, unmet market opportunities.
FW: What developments do you expect to see within IOT technology over the coming years? What steps should companies take to prepare for these eventualities?
Navetta: Many of the developments at the doorstep of IOT have already occurred in the home automation industry, which has been in veritable beta testing for over a decade. Expect to see a number of IOT platforms emerge that allow for greater interoperability and communication between disparate ‘things’. These platforms will establish protocols for communication and control of IOT devices, and will likely handle authentication as well. They will also support third-party plug-ins, which can lead to backwards compatibility security holes. Manufacturers will likely experience product longevity heartburn as they try to marry electronics historically having a 3-4 year working life with home and car products expected to last 10-20 years. Companies entering the IOT space may want to look at lessons learned at the dawn of networking, the beginning of interconnected computer applications, and the explosion of mobile computing.
Soderstrom: Non-‘smart’ devices will be retired slowly, with an interim phase of adding ‘smarts’ to existing devices, even as underlying infrastructure and cost structures will adapt to the vast numbers and diversity of devices. Industry still has to address three big security concerns. The first is inheritance of vulnerabilities when many connections are formed. The second is identity authentication and authorisation in a heterogeneous world with tens of billions of devices sharing access and data. The third is super-low power systems on chips that lack capacity to encrypt. From the personal perspective, there will be a market for individual Supervisory Control And Data Acquisition (SCADA) systems to help us control the noise of the IOT in a way that suits our sometimes extroverted, sometimes introverted lives. Personal privacy and choice are being buried under IOT ubiquity and complexity, and industry, governments and individuals must all play a role in proactive protection of privacy. It’s still true: loose lips sink ships.
Best: Interoperability and standardisation will come to the fore and the IOT will expand to become pervasive. Organisations will therefore need to think about the questions that the data from IOT networks will be able to answer and then initiate IOT programs to gain maximum benefit.
Mills: Organisations, including technology firms, are only just scratching the surface when it comes to innovation and connected devices. With cloud, big data analytics and the devices becoming more mainstream we will likely see a large number of new device based products being released over the next two to three years, as well as organisations competing for consumers business. That said, we are already seeing banks such as Nationwide produce smartwatch applications and car manufacturers such as Peugeot developing connected car capabilities. We also expect to see insurers bring out health related products based on wearables and mobile devices. In order to be ready to roll out these IOT based products there are a few things that organisations need to consider. Firstly, they must prepare their vision – what does IOT mean for them? What new products would they be able to launch? What are the costs and benefits of these new products? Firms must also create a strategy and roadmap for approaching these new products. What would the operating model need to look like? What new skills and people would they need to deliver these changes? Finally, what changes would be needed to the existing architecture to adopt these new sources of data? Do they have the tools and technologies in the organisation already? What changes to security and privacy need to be considered?
Tim Best is a director in EY’s EMEIA Advisory Centre, Cyber Security Centre of Excellence (CoE). He has over 15 years of experience in IT and Information Security consulting and project delivery. Mr Best has worked with clients across the EMEIA region in the private and public sectors in a wide range of information security roles. His areas of focus are security operations, cyber security and the connected car, and identity and access management. He can be contacted on +44 (0)20 795 15271 or by email: tbest@uk.ey.com.
Cheryl Soderstrom is the Americas cyber security chief technologist for HP Enterprise Services. In this capacity she is focused on bringing the larger HP cyber security value proposition to industry leaders and key clients, correlating the threat landscape and vulnerabilities in cyberspace and leveraging HP’s deep insights gained from securing global operations in more than 170 countries. She can be contacted on +1 (703) 742 1312 or by email: cheryl.soderstrom@hp.com.
Stephen Mills is an associate partner within the IBM Analytics Consulting business, focused upon insurance. Mr Mills has worked in the data arena for nearly 20 years working with clients on data related initiatives from strategy to adopting Big Data. IBM is a globally integrated enterprise operating in over 170 countries. IBM works with a diverse client base to help solve some of their toughest business challenges with innovative solutions that uses their consulting, research and software capabilities. He can be contacted on +44 (0)7966 265 804 or by email: stephen.mills@uk.ibm.com.
David Navetta is a US co-chair of Norton Rose Fulbright’s data protection, privacy and access to information practice group. Mr Navetta focuses on technology, privacy, information security and intellectual property law. His work ranges from compliance and transactional work to breach notification, regulatory response and litigation. He currently serves on the approved panel for numerous cyber insurance carriers and companies, and has helped dozens of companies across multiple industries respond to data security breaches. He can be contacted on +1 (303) 801 2732 or by email: david.navetta@nortonrosefulbright.com.
© Financier Worldwide
THE PANELLISTS
EY
HP Enterprise Services
IBM
Norton Rose Fulbright US LLP
FORUM: Managing reputational risk
Cyber risk: an increasing concern for senior management
Building an approach to data security liability exposure
Excess D&O insurance coverage – an important but often neglected part of your D&O insurance program
The Supreme Court of Canada recognises a new duty of honesty in contractual performance
Identifying and dealing with risk management and corporate governance in the hotel industry