Cyber Security
Can we take people out of IoT security?
H By Dan Lohrmann
ow can we provide better security for Internet of Things (IoT) devices? Yevgeny Dibrov writes that cybersecurity can be improved solely with technology improvements. I disagree. Here’s why I believe removing people from IoT security is ‘mission impossible.’ I recently read an intriguing Harvard Business Review (HBR.org) article by Yevgeny Dibrov, titled: The Internet of Things is Going to Change Everything About Cybersecurity. This well-written and thought-provoking opinion piece begins with the reality that cyber threats are exploding globally and data breaches have led mainstream businesses to spend over $93 billion in 2017 on stopping cybercrime. Furthermore, cyberattacks against Internet of Things (IoT) devices are skyrocketing even faster, causing Congress to get involved. Gartner anticipates that a third of hacker attacks will target "shadow IT" and IoT by 2020. In our scary new normal online, I certainly agree with Dibrov that: “Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools that they’ve been using all along are setting themselves up for continued failure.” No doubt, old methods of defending enterprises from cyberattacks are failing and new security solutions are certainly needed. So, what is the author’s solution?
10 | Australian Cyber Security Magazine
Answer: Take people out of the security equation. Dibrov writes: “It can’t be denied, however, that in the age of increased social-engineering attacks and unmanaged device usage, reliance on a human-based strategy is questionable at best… It only took one click on a link that led to the download of malware strains like WannaCry and Petya to set off cascading, global cybersecurity events. This alone should be taken as absolute proof that humans will always represent the soft underbelly of corporate defenses. …” The article goes on to explain that the “Amazon Echo is susceptible to airborne attacks,” and “Users may have productivity goals in mind, but there is simply no way you can rely on employees to use them within acceptable security guidelines. IoT training and awareness programs certainly will not do anything to help, so what’s the answer? It is time to relieve your people (employees, partners, customers, etc.) of the cybersecurity burden.” My Response: Wrong answer. While I certainly agree that humans are often the weakest link in online security and we must do better at equipping staff, relieving your people from the cybersecurity burden is going in the wrong direction. People use the technology, and their actions, and the processes that are followed, will always be essential