Internet of Things
Smart products, they’re everywhere! You may have them in your home, your employees may have them. We commonly think about smart products as home appliances or accessories, but when it comes to your business you’re likely working with some smart products as well. This is especially true if you have automated any processes or physical systems in your buildings or operation centers. Sometimes this is referred to as the industrial internet of things (IIoT).
The threats that your organisation face can potentially come from two different sides. These are from IoT devices and the IIoT systems within your organisation. Your employees have IoT devices in their homes, but when they login to your network those IoT devices become vulnerabilities. You don't have insight into what security measures they have in their home. If their devices are compromised your network by extension can be compromised. You’ll be able to catch these vulnerabilities if you have some form of employee monitoring software in use. On the other end of the spectrum are IIoT systems. The Industrial internet of things (IIoT) is the interconnection of control systems and enterprise systems, business processes, and analytic dashboards. Because IIoT systems affect the physical environment, a disruption to these systems can have serious operational impacts. The case with Target demonstrated that IIoT systems can be compromised and lead to access to sensitive information. Only in the last year was there a private sector attempt to build a framework for IIoT cybersecurity. Malicious open source app development
For some organisations they use or develop open source programmes or platforms. These often come with an advantage of app integrations. However, some of the developers of the apps are the cyber criminals themselves. These apps that function and seem innocent, but they can actually be gateways into your networks. This make it tougher for security suites to be able to detect them. Many developers use open source app and code as a base framework when building out software for the organisation. If the developers are not security minded then they could be potentially coding in access to external threat actors. Encryption practice
If there is any security practice that has become very well know, it would be encryption. However, encryption can be misleading if taken only on face value. Many businesses have mastered encryption-in-transit, which secures channels, but encrypting data-at-rest needs to be made common as well. Data-at-rest is any data that is not actively in use or “moving” and is stored on some sort of storage device. Additionally, encryption key management needs to be more secure as well. The bare minimum amount of people should have the encryption keys. It should not be provided to anyone outside. Public access
Remember those times you were at work in a public space and had to step away from your laptop for just a moment? Each time someone steps away from their laptop in public there is a very high chance malicious actors to make a move. In situations like this there are very few security measures that could stop such an event besides an encrypted hard drive. There is the possibility this malicious actor could install malware on your laptop before you get back. This makes detection of an issue very difficult, especially if it is a very privileged user. While most employees and managers use their laptops for most work when travelling, there are those times when other computers are used. In these cases there is no way of knowing what is being recorded when logging into company email or servers. However, setting up remote access based that works with your employee monitoring software
can help with the detection of a threat. Security undereducation
For employees and society in general there is a lack of sound cybersecurity education. Executives and employees see cybersecurity as a technology issue, leaving out how process and people impact a security system’s integrity. Executives especially are still being barely being introduced to the idea of cybersecurity/ So even the role of Chief Information Security Officer (CISO) may not be developed unless meeting compliance or after a breach has already happened. Technology will be able to accomplish a lot for security but people and processes need to work with security in mind.