“By failing to prepare, you are preparing to fail.”
Preventing a cyberattack is more cost effective than reacting to one. For example, it costs less to first implement a cybersecurity solution(s) rather than forgo security only to end up paying a hefty ransom. Therefore, it is helpful to think of cybersecurity not as a cost, but rather an investment, helping you avoid the larger cost of a cyberattack and the baggage that comes with it, like the toll on your organization’s reputation.
IoT is more than just a device connected to the internet; it includes the whole data supply chain, from the device collecting data, to the wireless network used to transfer it, to the back-end infrastructure that will analyze/process it, to the data itself and the app that you use to control or view the data from the device.
Cybersecurity is a very real, mainstream threat today that cannot be ignored; no organization, no matter their size or area of business, is safe from an attack that could potentially take their whole organization down. There are many different types of attacks with varying degrees of specificity, but we can generally summarize them as follows:
The first type of attack is the well-known ransomware, where an attacker manages to get into a computer, install a malicious software that encrypts all data, and then prompt for a ransom, usually payable using untraceable methods, such as cryptocurrencies like Bitcoin. The user then has no other choice than paying the ransom, hoping the hacker will honor the agreement to release the decrypt key and provide them with the encryption key so they can decrypt and recover all their data.
The second kind of attack is the well-known phishing attack, where millions of emails or SMS messages are sent randomly, and only requires a small percentage of people willing (or uncareful enough) to click on a link to successfully start an attack. These emails are not the typical spams most people are able to recognize or be suspicious of, but well-fabricated emails that look like they have been sent from a legit entity, like a cloud service provider. The user is then fooled into providing their data – usually credentials or credit card number – which directly ends up in the hands of a malicious party, to be used later to commit criminal acts like stealing personal data, fraud, and more.
Finally, building on the success of the two previous scams which occur indiscriminately, the third type of attack is data exfiltration, where malicious actors can develop a plan to target your specific organization. This is performed by hackers with a high level of expertise in IT and cybersecurity; this expertise allows the hackers to perform preliminary investigations like social engineering or IT infrastructure weaknesses, which helps them find a point of entry to penetrate the infrastructure and silently deploy a malware and perform data exfiltration without the affected party realizing it before it is too late.
At the heart of the IoT ecosystem is the connectivity of devices – those devices being able to connect to the internet and have a path to deliver its payload. There are three general network architectures used to connect IoT devices: point-to-point, mesh network, or star network, depending on the technology used to connect them. There are dozens of protocols available to connect IoT devices. However, only a handful of them have reached critical mass that allows them more widespread acceptance (e.g., Bluetooth, NFC/RFID, etc.).
In our forthcoming “Demystifying Technology” blog posts, we will discuss different IoT use cases and scenarios to help us better understand how we can deploy a robust and secure IoT ecosystem ensuring access to data when needed.
The impact on affected organizations will depend on factors like the number of endpoints affected (1 vs. 1.000), the data they store (specially back-end systems), and the type of attack (data encrypted vs. exfiltrated, credentials stolen).
The primary cost is not monetary per se but might be one of the highest prices to pay: the reputational cost. While some organizations might be able to recover from an attack by keeping it silent in the media and/or using the trick of rebranding their name and products, some other organizations might never recover from such an attack. For example, if a well-known antivirus company is affected, who would then trust them to secure their organization, considering they don’t seem to be able to keep their own organization safe?
Second, affected organizations pay the price of data exposure, for example, when data was exfiltrated by a malicious party. For internal data, especially when talking about Intellectual Property (IP), the impact on the organization could be dramatic, as it could be taken advantage of by crooked competitors. But moreover, if handling third-party data like partners or customers, it could be even worse as the organization could be held liable for that loss in the eyes of the law. Think about organizations like banks and healthcare companies, handling tons of very sensitive, personal information.
The third cost that organizations affected by a data breach face is the direct impact that data recovery will have on finances. Large corporations hit by a ransomware attack ended up paying millions of dollars in ransom, on top of the cost of investigating, identifying, and remediating the data breach.
Lastly, the cost of having a long service downtime (hours, days, weeks) will translate into productivity downtime, as employees won’t be able to perform their duties, and this has direct impact on the organization’s sales and finances. Not only might you have to cash in to pay a ransom, but on top of that, you are losing money from lost sales and everything service downtime entails.
The first course of action in bolstering your security posture is to perform a full assessment of the organization’s current infrastructure, not only from a technical perspective, but a business perspective as well. This means surveying where the employees work from (office, home, both), which services are business critical, and what security measures are already in place. In summary, get a picture of the current security posture to better identify the areas that need to be addressed. Every organization is different and have different security needs, so it is recommended to hire an external, certified cybersecurity consultant to get a better, objective understanding of the current state.
Your security posture shall be dictated by the combination of the needs of the organization and the needs of their end users, tempered with the support of the management team by way of funding. Your overall security is a team effort across the entire organization. Your end users must be diligent with their security practices, your HR team should provide annual cybersecurity training, the ops team SOP should include cybersecurity practices, and the management team must recognize cyberattacks as a threat and support the needs of the organization. Often, the cost of implementing a security program pales in comparison to the reputational damage, exposure to liability, and lost revenue.
It’s always a good idea to periodically reassess your critical infrastructure and see where you can improve and strengthen your security. First and foremost, by ensuring your employees are trained and prepared on responding to and recovering from an intrusion, you stand the best chance of keeping your infrastructure safe and sound.
For more comprehensive information about improving security posture, please review our two-part blog post about the “Security Maturity Model” (part 1 and part 2) as well as our recent post regarding cybersecurity products. Please feel free to contact the team at ISEC7 with any questions, and we can provide an objective assessment of what can address the needs of your organization and/or risk mitigation needed to enhance your current solution.
Find out more regarding ISEC7´s Services and Solutions.