The WannaCry ransomware attack of May 2017, which shut down UK’s National Healthcare System, brought to the forefront the importance of infosec compliance awareness. When vulnerabilities from a tech giant like Microsoft can be exploited and weaponized, it’s clear that infosec compliance is not just about computers, but also lives.
If there is one thing that WannaCry taught us, it is the importance of having up to date software. When the health and safety of the whole nation is entrenched on one or more processes that are relayed online, then it is everyone’s responsibility to ensure the security of their software and hardware.
Most governments and corporate organizations struggle to keep their systems up to date due to bureaucratic hurdles and a resistance to change. Securing IT systems comes with extra costs; not just of infrastructure, but also of retraining employees on new security protocols.
Older computers and operating systems take a long time to update. This is why most organizations ignore installing security updates or patches. Unfortunately, failing to install software and firmware security updates can be a fatal mistake.
Every firm should promote infosec compliance for its own well-being, as well as that of the employees, customers, suppliers and other parties that interact with it in one way or another.
Importance of InfoSec Compliance
The necessity of infosec compliance is more than just for the financial well-being of the company. The tragedy is that most organizations look to their CISOs and CIOs to manage IT risk at the lowest cost possible. For example, C-suite executives may calculate the financial impact of infosec compliance in terms of dollar losses rather than the holistic losses that may occur due to a breach resulting from noncompliance.
While C-suite executives need to see the organization profitable, it is critical that they understand the potential impact of infosec noncompliance. The economic risks of non-compliance are far greater than the cost of compliance.
Organizations need robust infosec policies that protect not internal data, but also their people. Internal infosec policies should outline measures for securing data that is passed, managed, and stored by the company. Mitigation efforts and standards of handling zero-day vulnerabilities should be established. These policies should also encourage a culture of infosec awareness and compliance.
If firms are reluctant to keep their IT environments updated and secure, then the infosec community should come up with and implement measures to protect these assets.
Increase in Ransomware Attacks
According to a report released by the Department of Justice, ransomware attacks have been steadily increasing since 2016. Hackers are unleashing thousands of attacks every day, and are targeting both home and corporate networks. As ransomware attacks mutate and evolve, companies should stay a step ahead by ensuring their systems are infosec compliant.
With the Internet of Things (IoT) becoming a reality across all industries, the need for infosec compliance and awareness is even greater now than ever before. With IT security, the best offense is a good defense. To defend your firm against IT security attacks, it is crucial to evaluate your current status and determine the risks your systems are exposed to. From there, come up with a strong defense strategy that will mitigate the effects of potential breaches.
Security Risks of the Internet of Things (IoT)
The Internet of Things (IoT) increases connectedness among people and organizations by enabling transfer of various types of data across a wide range of devices. The IoT ecosystem allows devices to communicate with each other to provide helpful information that can be used in business, banking, transport, manufacturing, health, and other industries.
However, the interconnectedness also comes with its risks. For example, the data transfer method used by devices in the IoT ecosystem does not have robust and secure authentication protocols. Therefore, malicious third parties can see devices communicating with each other and intercept the information for their own gains. This is why the information security industry is currently creating audit procedures to increase the safety of IoT.
Compliance Week reports that more and more companies carry out internal IoT audits. If your company does not have an IoT audit plan, here are some questions that can guide you when creating a framework for InfoSec compliance awareness:
- How is IoT deployed in your organization? What IoT devices are used and who owns them?
- What are the risks of IoT in your industry? Have the risks been assessed and quantified with respect to your firm?
- What data is collected, stored and analyzed by your IoT devices? What security measures have been put in place to guard against legal implications that may result from privacy breaches?
- Do you have a contingency plan that is ready to be deployed in case of malicious intrusions into your IoT network or devices?
- Is your current IoT strategy aligned with your company’s goals? What key performance indicators (KPIs) are you monitoring to gauge the effectiveness of the IoT strategy?
- Are you aware of the third parties using IoT on your behalf, and do you have ways to monitor their use?
- What are the potential risks of not implementing an IoT strategy in your organization?
Most of the questions above focus on data and organizational use. Therefore, the questions would traditionally be handled by the C-suite executives in charge of information security.
Your organization needs a strong security strategy that enforces infosec compliance proactively and not reactively.
What would happen should your IoT network or devices be compromised by malicious parties?
This is a tough question that needs to be addressed immediately. Malicious access of your IoT devices can lead to catastrophic economic and social repercussions.
Protecting the IoT Ecosystem through Effective InfoSec Compliance
As the IoT ecosystem matures, it is only a matter of time before hackers try to paralyze it for political or economic gains. The WannaCry attack may only have been a test of what is to come. When a second WannaCry-type attack happens, you do not want your organization to be among those whose systems will be held ransom.
If WannaCry was big, imagine what a large-scale IoT ecosystem attack would be.
WannaCry paralyzed the information system of dozens of companies from around the world. However, these systems were not directly connected to each other.
With IoT, all devices from across the world are connected to each other. This means a large-scale attack would be catastrophic. Hackers would have a field day controlling events around the world. Virtually any electronic that is connected to the internet or has a Bluetooth connection could be controlled.
The foolproof result of a large-scale IoT attack would be chaos and total meltdown of societies. For example, hackers could take control of smartphones and make it impossible to make or receive calls, intrude the city’s traffic control center and take over the traffic lights, power on or off vehicles, shut down banking and health equipment, shut down production lines, and so on.
The average smartphone user may not comprehend the ability to remotely control a device. This is why the information security industry needs to come up with standards and measures that will protect not only organizations, but also users from themselves and outside threats. Promoting infosec compliance is taking a step in the right direction to ensure the health and safety of the public and organizations.
Medical Internet of Things (IoT) InfoSec Compliance
Perhaps in no other industry would the repercussions of an IoT attack be felt more than the medical industry.
Hospitals have started integrating IoT healthcare devices to improve patient care and service delivery. For example, providers can monitor a patient’s progress remotely without the need for hospital visits. Sensors on medications can also monitor whether a patient is adhering to the required dosages.
Healthcare facilities are also using important IoT-enabled equipment for critical health activities. For example, the Boston Medical Center has more than 600 IoT-enabled fusion pumps. The staff can dispense and change medications on the pumps automatically through a wireless network instead of having to load each pump manually. A malicious intruder into the IoT network of these devices can stop the infusion pumps.
The best way of preventing IoT attacks is ensuring they do not occur in the first place. Hackers are constantly scouring systems for zero-day flaws. Being infosec-compliant can help to prevent potential attacks and save lives. Infosec compliance will help you know your organization’s current IT security status.
Compliance should be headed by C-suite IT personnel that are knowledgeable and keep abreast of the latest security flaws and threats in the industry. Compliance measures should also be entrenched into the firm’s operations. C-suite executives should lead the way in compliance, and encourage all employees down the hierarchy to adopt secure device usage and management to prevent breaches and attacks.
Promote InfoSec Compliance through Automation Software
You can promote infosec compliance in your firm by using compliance programs. These applications can help to identify the prevailing IT security risks in your organization. When all compliance programs can be accessed and monitored from a single location, there is more efficient communication between the Board of Directors, C-suite members, and IT audit teams.
Compliance automation software programs help to reduce the redundancy of having multiple compliance processes. The programs are agile solutions for detection and management of information security threats.
However, the programs only provide a bird’s eye view of the infosec compliance status of an organization. The software should be complemented by robust IT security policies implemented across the organization. Moreover, routine security audits should be carried out to test the company’s IoT ecosystem and prevent emerging threats.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.