The Great Hot Tub Hack caper, demonstrated by BBC Click, has turned up the heat on commercial IoT. The end result could be a burned-out pump or redder cheeks on exiting, but the message is clear—be careful.
The brand of hot tub isn’t important, but it is safe to say, with Christmas behind us, many of us bought or received commercial-grade products that are voice-activated using Alexa or Google Assistant.
I am one of them.
I also got some peripheral devices, which work really well to control plugs and switches; however, I am a bit nervous about it all since Google accesses the account you set up on a third-party website to control your devices.
That’s clever, but what about the security of it all?
As I speak, the only thing a hacker could do is turn off my fireplace or turn on my ceiling fan. I have these devices on a separate wireless network that has no accessibility to my business network and no access to shares since it is on a separate IP network.
I think I have done OK with network segregation. But is it enough?
Imagine being a Fortune 500 executive and wondering if the company is doing enough to protect intellectual property and private customer data. Having your secret recipe stolen would be devastating; then it would no longer be secret.
Boards of directors also need to have a finger in the security pie. After all, they have responsibilities, don’t they?
In its annual Cyber Governance Survey, financial consulting firm BDO pinpoints the essential roles of corporate oversight and who should be doing it.
While companies are hiring more board members with technical expertise, it seems that the easiest thing to do is throw more money at the problem. I was surprised to see that only 45% of surveyed companies plan to increase their budgets for “digital initiatives” pertaining to cybersecurity.
The digital priorities however didn’t address any cybersecurity issues in the questioning, but the leader of the pack was again funding for anticipated business needs. This could include cybersecurity solutions but wasn’t indicated as such. Again a small percentage admitted to the funding.
Some think investing in security doesn’t translate to the bottom line. If it did, these numbers would have been higher. Until someone—the government—makes it mandatory to protect data and systems, this funding will remain a bit muted.
There is no limit to the amount spent on technology that adds to the growth or profitability of the company. Security hasn’t made the grade quite yet.
This is very surprising. It’s still about the bottom line, but progress is being made. Seventy-five percent of respondents indicate they in fact have increased funding for cybersecurity in the past 12 months. This is the fifth year in a row of reported increases, which bodes well for the future.
Where the governance seems to have landed is at the feet of the masses. Over half of the surveyed companies did readiness tests for security, as well as cyber-risk assessments, which resulted in changed policies. Twenty-five percent however stated they have not done any assessments at all. Now that’s scary.
Data privacy is the new abyss that we face. How many times have we heard of data breaches and from solid companies? It is these data breaches, as well as the uncounted ones we do not know about, that can create havoc.
Imagine if a company database that had the logins of all employees were hacked. Imagine the chaos that would create; anyone could emulate anyone, resulting in who knows what.
The ability to change one’s own pay scale would be a minor one. Access to confidential company information is a major one.
The European Union instituted a data protection plan (GDPR) in 2018. Sixty-nine percent of survey respondents said they are not impacted by this regulation. BDO believes most of them are wrong.
Having said that, the survey says more than 75% did a gap assessment, meaning they took the regulations seriously enough to check but probably decided it would cost too much to implement and so responded it has no impact.
It’s a simplified answer, but updating policies and procedures may not be enough to be in compliance. Best to ask for forgiveness?
The report brings to light the need for every company’s board of directors to be more vigilant and to make the decisions necessary to protect the bottom line from a security point of view. It is about money but also about compliance.
Might I suggest it would be best to ask for permission.