With more information and technology than ever before, effective risk management has never been more important

Internet of things

From manufacturing, tourism to telecomms, the Internet of Things (IoT) and other sources of Big Data are set to fundamentally transform entire businesses and industries.

All of that change has the potential to be highly disruptive and has already started to redefine the risk equation for many enterprises, highlighting more than ever the importance of effective risk management.

So what are the key risks associated with the IoT?

Microsoft Asia chief security officer Pierre Noel says there are two main concerns, with the first being inadequate security mechanisms within products themselves.

“The great majority of devices aren’t designed for security. In most cases there is no security whatsoever,” he says.

“For example, take a company selling intelligent lights bulbs. Say a badguyhasworkedouthowtoturnoffthoselightbulbsbypushing malware into the devices – unless the company has already considered this in the design, they’re in trouble.”

Noel suggests the only way to mitigate device-level risk is to consider it during the design phase.

“The moment you start to plan the device, you need to employ a team of people who are focused on security. Almost no organisation does that. You need people who understand the risks, not just the value of the device,” he says.

The second IoT risk occurs at aggregation level.

“All these devices are feeding data into a data lake. Once the information is stored, you have to ensure it’s properly protected, otherwise it’s a mine for the organised crime community.

“The fact we are collecting this information from the devices is fantastic from a business point of view, but it carries enormous risk. People can monetise this information by decrypting, blackmailing or stealing,” says Noel.

Lockton Singapore chief executive Peter Jackson agrees that the IoT changes a company’s risk profile.

“The risks are simple IT failure, or cyber attacks and hacking. Often with that, you’ll have third party dependencies, for example data storage,

and third party servers. The risks are dispersed. You need to identify who is taking responsibly for those risks.”

Jackson advises firms plan for the worst.

“All the best advice coming out of the IT world is to assume you’re going to get a data breach. In that case, you need to look at your business continuity plan, and the insurance cover you’ve got for first and third party risk,” says Jackson. “You need to ensure your existing policy incorporates cyber risk, and then check if there are any gaps.”

Jackson also suggests mapping out who is responsible for what, within and outside the business.

“Understand the IT elements, throughout the whole supply chain so you understand what you’re responsible for and what your suppliers are responsible for.”

Risk mitigation

But while the IoT may be the next big thing, Scentre Group chief risk officer Eamonn Cunningham warns of firms jumping in without purpose.

“You need to make sure you use this rich resource of connected data in a deliberate way that works for you, rather than jumping in and using it just for the sake of it.

“The data and the way it comes together needs to be your slave and work for you, not the other way around,” he says.

Cunningham advocates adopting a traditional risk assessment approach when considering the IoT, including the identification of mitigations and controls along the way.

He also sees the need for new types of insurance products, particu- larly in cyber.

“These areas would include greater coverage for risks arising from using vendors and particularly their products,” says Cunningham.

Astro vice-president of enterprise risk management Patrick Abdullah recommends a three-tiered approach to keeping data stored securely.

The first is ensuring strong IT systems are in place to reduce the likelihood of hacking.

“Regular penetration tests need to be undertaken to test the system for vulnerabilities. These include monthly operating system patches, server hardening and agents,” he says.

The second step is around a company’s personnel.

Abdullah says IT administrators normally hold the source codes and keys to servers, but if those personnel are not trustworthy, there’s potential for confidential information to be leaked.

“In terms of mitigation, you need different layers of authority established to allow for extraction of information,” he says.

“As an example, in a banking environment, for every attempt of a login into the bank’s server, two-tier passwords are required. One will be generated by the administrator and the other by an IT security officer. You need both of these passwords to gain administrator rights and log in to the server,” says Abdullah.

The third layer of protection is the education process. It is impor- tant that employees fully understand and appreciate ethical practices. Abdullah says all employees should undergo yearly training and test- ing on the company’s code of ethics.

“Also, it is important to have an information classification policy implemented to ensure employees fully understand the nature of the information they are dealing with, whether it is deemed secret, restricted, classified or non-confidential,” he says.

Abdullah says there are further considerations if information is stored in the cloud, rather than a private domain.

“Can you trust the people employed by your service provider? Can third parties influence these individuals to extract data that is confiden- tial in nature?”

He also suggests signing a non-disclosure agreement with the vendor.