While the general public is waking up to the possibilities of the Internet of Things (IoT) to turn their living spaces into smart homes, businesses the world over are slow to prepare for the onslaught of connected devices that will find their way into the workplace.
According to the Global IT association ISACA 2014 IT Risk/Reward Barometer only 43% of organizations worldwide have plans in place to leverage loT or expect to get plans in place within a year. The 110-country survey of 1,646 ISACA members, who are business and IT professionals, reveals that many companies have neither wearable technology nor ‘bring your own device’ (BYOD) policies in place. More than half (56%) say their BYOD policy does not address wearables and a further 23% do not even have a BYOD policy in place. This is in spite of the fact that the vast majority of the respondents (81%) believe that wearables pose even more risks than BYOD.
Security threats and data privacy are seen as the biggest challenges to the lnternet of Things:
• 49% believe the biggest challenge is increased security threats
• 25% are concerned about data privacy issues
• 69% are very concerned about a diminishing personal privacy
• 28% are concerned about public ignorance about who has access to the information collected
“The Internet of Things is here, and we are likely to see a surge in wearable devices in the workplace,” said Rob Clyde, international vice president of ISACA and CEO of Adaptive Computing. “These devices can deliver great value, but they can also bring great risk. Companies should take an ‘embrace and educate’ approach.”
To help companies deal with the challenge and risk of connected devices in the workplace, ISACA has provided nine critical questions companies should address as they get to grips with loT:
1. How will the device be used from a business perspective, and what business value is expected?
2. What threats are anticipated, and how will they be mitigated?
3. Who will have access to the device, and how will their identities be established and proven?
4. What is the process for updating the device in the event of an attack or vulnerability?
5. Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
6. Have risk scenarios been evaluated and compared to anticipated business value?
7. What personal information is collected, stored and/or processed by the IoT device?
8. Do the individuals whose information is being collected know that it is being collected and used, and have they given consent?
9. With whom will the data be shared?
“Connected devices are everywhere—from obvious ones, like smart watches and Internet-enabled cars, to ones most people may not even be aware of, such as smoke detectors,” said Robert Stroud, CGEIT, CRISC, international president of ISACA and vice president of strategy and innovation at CA Technologies. “Often, organizations can be using IoT without even realizing it—which means their risk management stakeholders are not involved and potential attack vectors are going unmonitored.”
ISACA’s free Internet of Things: Risk and Value Considerations guide can be downloaded at www.isaca.org/internet-of-things.