Product and gadget creators get in a tight spot when IoT (the Internet of Things) security takes a back seat. It sounds harmless: “Let’s get to market then release security updates.” Getting market share vs taking care of security seems like a matter of course. Until someone uses that security gap to shut down a power plant.
Security by design is more of a concept than a reality. – Chris Apgar, CISSP
So take a step back and prepare. Because even if you can’t prevent IoT attacks – and you can’t stop them all – you can be prepared. Not being so is indefensible. A few critical steps:
- Have your go-to vendor(s) contact info readily at-hand in case of an attack. The information should be part of your security incident response plan.
- Test – before the attack – security incident response, disaster recovery and business continuity plans. Make corrections and test again.
- Train your security incident response team on what to do when an attack happens. Repeat the training regularly.
- Make it difficult for hackers: encrypt. On mobile devices, portable media, in the EHR.
A quick, effective response to an IoT attack can mitigate damage. But it takes preparation, aka sound risk management; training, sharing information with critical staff, taking security incident response seriously. As I stated in a recent article about IoT attacks, “A risk management program is neither a one-time event nor static. Risks are constantly changing as new attack methods are being developed.”
One more point: Spread the training love. Training is too often overlooked. Talk about the clicks that bring down an organization in moments, like phishing. And try for something beyond the same old PowerPoint, perhaps use scenario-based training, look at all the ways everyday actions can halt business in its tracks. Otherwise people tune out.
If you’re not sure where to start, the guidance from the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) recommendations are very helpful when trying to figure out all the risks that can come with IoT device implementation. You can also give us a call: 877-376-1981.
Apgar and Associates, LLC helps you on your compliance journey, including conducting a security risk analysis, creating risk mitigation and risk management plans, and training workforce.
This article first published as an eletter. To subscribe, go here.