Why businesses must be ready for lots more IoT devices [Q&A]
There are expected to be more than 70 billion connected devices by 2025, which means the opportunity for hackers to infiltrate connected devices, and to get onto networks, is going to get much larger.
So how can businesses prepare for this influx, train their staff and get ahead in order to protect their critical data from cybercriminals who are always keen to update their tactics and strategies? We spoke to Jonathan Langer, CEO of healthcare device security specialist Medigate to find out.
BN: With the expected influx of new connected technology how prepared are businesses for securing their networks with all of these devices constantly connected to it?
JL: Because the explosive numbers aren't a state secret, we'd all like to think that business leaders are actively reviewing the scalability of their infrastructures. Not just in terms of managed capacity, but in terms of secure, managed capacity. There’s a genuine need for cross-industry security leadership to do a full stop and learn about recent advances in endpoint visibility, because visibility is essential foundation. Not even the industry’s thought leaders subscribe to an updated, commonly held definition, so we’ve got a problem here. In my experience, even when advised about how the latest passive and active monitoring solutions have been 'synergized' to safely and effectively deliver detailed device profiles, security posture and utilization data, many still don’t trust such developments. Remarkably, some even see the data being captured as problematic, potentially creating more work for already beleaguered staff. Meanwhile, the market’s early adopters are discovering how these same data are enhancing existing workflows (people and systems) and revealing ways to intelligently scale. How such differences of opinion can persist over something as foundational as visibility is notable. We know that connected devices are not built with security in mind, and so we know that their interfaces are vulnerable. In order to address those vulnerabilities at appropriate scale, we need continuous visibility into the details that allow us to take immediate action. Without it, we’ll continue to spin our wheels.
BN: How can businesses stay ahead of cybercriminals and keep their networks protected in light of the new hacking methods and tactics to come with new technology?
JL: It's actually a matter of visibility, albeit based on the significantly expanded definition described above. Knowledge that a device exists -- or even its type -- is not near enough. What's required are detailed fingerprints/profiles of all connected devices, knowledge of their respective workflows, operational requirements and how they're being utilized. In other words, that's more than make, model, MAC and IP address. It means serial numbers, location histories, knowledge of embedded software, communication protocols and continuous firmware-level monitoring. Otherwise, how do you correlate a threat to your environment? How do you patch a vulnerability? When you think about visibility in these terms, you can understand why cross industry, general purpose solutions tend to fall short and/or why our firm is solely dedicated to healthcare.
In the same way, you can understand how foundational security measures, like network segmentation, are mired in never ending deployment cycles, rather than being 'completed' and continuously improved. I raise the matter of network segmentation, as we're beginning to see advanced, granular instances being optimized in ways that will actually minimize the potential impact of a breach, per design. Bottom line, security professionals cannot build around a snapshot in time. They must build around capabilities that deliver a continuous, detailed and correlative view of internal capabilities, risks and external threats. As we’re seeing automation being successfully introduced in these areas, I have a positive outlook.
BN: How should organizations be training security staff to understand new security protocol for emerging technology?
JL: Cybersecurity is a team sport and health systems in particular have a short bench. Fortunately, however, risk reduction practice can be monetized, and that changes everything. It goes without saying that solutions that empower existing security staff and leverage installed systems and processes are needed. But what we’re discovering is that the missing data now being captured are fueling powerful new use cases in established workflows. These data are engaging non-traditional, cross-functional stakeholders by helping them make personally relevant operational improvements. For example, sourcing and procurement professionals have a natural interest in the utilization details being captured. HTM professionals are using these same data to reinvent preventive maintenance processes. There are many more examples. The point here is that these collaborations are furthering the cybersecurity interests of the enterprise and little to no training is required.
Cybersecurity program development cannot occur in an 'IT vacuum'. If multidisciplinary teams are engaged around a common, well-orchestrated data foundation, not only does training of existing staff become a more natural, intuitive exercise, but identification of staffing gaps are more quickly and accurately revealed. Budgets can be better rationalized, as finally, ROI-driven business cases can be used for justification.
BN: Are some sectors, healthcare for example, facing greater risks from IoT devices?
JL: Keeping in mind that 40 percent of the new devices will be in healthcare, the answer is yes, the stakes are higher. Not all connected devices are created equal and healthcare's connected device problem is not just uniquely challenging, but uniquely pressing. Healthcare providers of all sizes share a special urgency for a variety of industry-specific reasons, including the fact that it’s a patient-safety issue. And yes, the proliferation of Electronic Medical Records (EMRs) and that Protected Health Information (PHI) is the most lucrative available target for bad actors are also important factors, as ransomware-like attacks can be devastating to a hospital. All has resulted in direct pressure from the FDA and indirect pressure from other bodies that continue to weigh-in. It's already a matter of compliance with hefty fines being levied on a regular basis. No doubt, healthcare's IoT cybersecurity problem is at the top of a lot of minds, as the stakes are understood by everyone, including patients.
BN: Can we expect to see governments and regulators taking more steps to impose security standards?
JL: Absolutely. From a variety of perspectives, including consumer protection and/or patient-safety interests, governments and regulators are already engaged. But here's the rub: Regardless of how much ‘security pressure’ is applied to the device manufacturers, the liabilities will continue to fall on their customers and/or the third parties engaged to manage some or all of the associated responsibilities. Again, it's not that the manufacturers won't play a role in furthering security standards, as I believe they will, but they cannot be expected to assume responsibility for how their products are installed, networked, maintained, etc., especially given how increasingly distributed and networked are the operating frameworks. In healthcare, while I think the device manufacturers are going to work with various third parties to perform security checks and audits, I don't see them trading-off innovation for security-based redesigns. Besides, we're going to be dealing with legacy equipment for at least another decade or more, and given the proliferation of medical device reprocessing programs, etc, the point I’m making is that while ‘standards’ as we tend to think about them can raise the table stakes for certain segments of bad actors, the pros will not be deterred. I don't think it's about keeping pace, as that’s a reactive posture. I think security infrastructures need to be built with an attitude that treats threats as proactively manageable 'givens'.
Image credit: Jirsak / Shutterstock