Recently I seem unable to avoid reading material on security risks associated with the use of technology. It is certainly a good thing that the topic has a growing profile as that can positively drive upward awareness of the risks. However, I do worry that many articles only tend to articulate the risks and remain silent on the potential benefits arising from technology enabling our lives. Writing about the dangerous downsides of how easily Internet of Things (IoT) context devices can be hacked will definitely get attention. This is fine if we also gain the value of people being more aware and then engaging on an informed basis with technology and related information security risks.
I noticed recently that the New York Stock Exchange (NYSE) had sponsored and circulated a publication called Navigating The Digital Age: The Definitive Cybersecurity Guide (for Directors & Officers) to every NYSE listed company board member. This was produced in partnership with Palo Alto Networks and a wide and impressive range of contributing writers and organisations. I found it an excellent read. What I particularly liked was the recognition clearly conveyed that people as much as technology (or process) are at the heart of both the information security threat and the defences. The need to educate both the consumers of technology enabled solutions and those operating and defending them was well articulated.
The criticality of all of us being aware of the risks to our data and the steps we can take to mitigate them is becoming clearer to most people. The publicity around corporate hacks like Sony and the recent press around the cyber “front” in the current challenging situation in the Middle East are hard to avoid. However, in recent weeks the questions I have been asked most often around information security have been related to stories on many and various IoT devices that have allegedly proved vulnerable to hacking. People have raised many concerns with me on a wide range of devices from connected car systems to house alarms to healthcare wearables to pacemakers. I remember reading, but annoyingly cannot now find, an article which used the term “Internet of Nosey Things” in its discussion of the type and value of data involved.
Indeed the ISACA 2015 Risk Reward Barometer declared that its 7000+ contributors saw IoT as being the prime area of information security concern. The survey reported that over 70% of respondents saw a medium to high likelihood of attack via such devices either in the consumer or in corporate context as they become more common in the workplace. This concern is then compounded by the (ISC)2 Global Information Security Workforce Study 2015 which forecasts that we will simply not have enough security skilled people in the workforce to provide adequate defences. They see the gap being as many as 1.5 million security workers too few by 2020.
If that forecast proves true then we need to have placed information security at the centre our technology design process. In fact if you look at the automation and machine to machine implications of IoT then we clearly have to ensure our defences are not operator dependent. The imperative to automate defences is nicely highlighted by the HP Cyber Security Report 2015. This is a sobering read of results from interviewing 252 companies in 7 countries. What particularly stood out in the material is that the time to recover from a cyber-attack has risen from 14 days in 2010 to 46 days in 2015; that the number of successful attacks reported has risen by 46% since 2012; and that the average cost of cybercrime per participating company was $7.7m.
So having started saying I was wary of scare mongering articles on information security I have now drifted towards the negative perspective. It is quite hard to avoid when considering this topic I fear. As the benefit delivered by technology is huge and alluring so does it comes risk and as ever some people don’t see a problem with acting illegally to make money. In that sense this challenge is nothing new and we have a good track record across many societies of working out how to protect ourselves (eventually?!) from such threats.
Perhaps we do indeed need a digital age Magna Carta or its mirror incarnations across the globe. The content of this updated Magna Carta was built on the input of over 30,000 people having begun as an initiative focused on school children. The British Library site hosting the debate has lots of other excellent material worth reviewing. The good news is that the debate is still open as to what this digital age Magna Carta should state. Why don’t you go and place your vote?
Images via Shutterstock,com.
A fascinating, insightful and thought provoking piece.