Companies Need to Be Aware of Cyber Risks Related to Proliferation of IoT – Insurance Journal

6 minutes, 9 seconds Read

The Internet of Things (IoT), which refers to the collection of internet-enabled devices such as wearables, industrial sensors and controls, and closed-circuit cameras, has revolutionized processes from pharmaceuticals storage to energy-usage monitoring. However, it has also created a wide array of cyber risks that have yet to be fully recognized.

The technology permits the collection and transmission of vast amounts of data automatically via sensors, software and network connectivity embedded into devices, vehicles, and buildings. It is proliferating rapidly across multiple industries in the so-called Fourth Industrial Revolution, but overall growth is outpacing the checks, balances and controls needed for our collective security.

A recent US Federal Government letter to state governors after hackers disabled water utility controllers speaks to concerns about IoT: a potential attack on critical infrastructure where invisible, malign forces commandeer on-site machinery. Experts are worried, too. In the US, the Cybersecurity and Infrastructure Security Agency (CISA) has made the protection of critical infrastructure a top security priority.

Most IoT devices in the critical infrastructure and industrial sectors date back decades, to an era when security was about keeping intruders off premises. They were only recently retrofitted with network connectivity and, unlike newer IoT devices, are generally reliant on manual updates.

Given the huge number of devices used by any one company, often in multiple locations, the cost of remedying cybersecurity vulnerabilities can be prohibitive. Those constraints apply both to essential service providers, reliant on the public purse, and to industrial companies with shareholders to please. Companies, therefore, tend to labor on, with antique firmware that makes them highly vulnerable to malicious actors.

However, the US government’s disclosure of attacks on critical infrastructure targets, have raised awareness. During a March meeting convened by the administrator of the Environmental Protection Agency and the National Security Adviser, state and local officials from across the US discussed issues related to cybersecurity of the water sector. At the meeting, Deputy National Security Advisor Anne Neuberger requested that each state share a cybersecurity plan by May 20, 2024.

Recent work by the Massachusetts Institute of Technology also highlights the potential scope for property damage related to this technology. Researchers were able to simulate cyberattacks that could cause motors, pumps, valves, and gauges to catch fire, explode or simply fail.

New devices such as smart meters and wearable health technology have driven an IoT market which is expected to number 24.1 billion devices by 2030, almost treble the number of a decade earlier, according to figures reported by the CRO Forum.

Unlike the legacy equipment used by utilities and many industrial sectors, these new products are built for the digital age. However, they are still hazardous, having been designed for functionality rather than security, often with weak passwords, inadequate authentication, and a lack of encryption.

The World Economic Forum’s (WEF) concern about consumer IoT security led it to establish the multi-stakeholder Council on the Connected World, underpinned by a series of principles. Data privacy was one of WEF’s main bugbears.

The Dangers of Data

The risks include deliberate data theft, the collection of data and its linkage to a specific IP address without the data owner’s consent, and associated litigation following the theft of data. The situation is made worse by huge differences in data regulation and privacy law across nations and across US states.

The healthcare sector, in particular in the US, is already facing a tidal wave of data-related lawsuits, in relation to incidents such as the February ransomware attack on UnitedHealth’s Change Healthcare unit, or the theft of the data of about 11 million patients at HCA Healthcare last year. While these incidents didn’t involve IoT technology, medical devices are also a potential risk vector. The use of IoT technology, and the associated data vulnerabilities, exacerbate what is already a dangerous liability.

Whatever the application, IoT devices are attractive targets due to their interconnectedness and the sheer number of entry points to a network they provide.

Weak or absent security features, poor visibility of the number and type of devices on a given network, and a widespread lack of monitoring compared with traditional IT systems are pan-industry problems. Incident response strategies are in many cases non-existent.

This all adds up to significant cyber exposure, with ramifications too for lines such as accident & health, life, business interruption, errors and omissions, directors & officers, and property.

Shoring Up Defenses

Best practice for IoT cybersecurity includes scrapping default passwords on gadgets, encrypting data and ensuring a thorough knowledge of device, sector-specific, or region-relevant regulation. Storage and transmission of unnecessary data should be limited, if not eliminated, and in a globalized, interconnected world where data knows no national regulatory boundaries, care should be taken about assuming consent for data collection.

Companies of all stripes should understand what IoT data is being collected by whom and for what purpose and conduct proper due diligence on IoT suppliers. Regular software updates – one of the tenets of the WEF’s consumer code – need to happen where possible, though for industrial applications this may be challenging.

After a period of steep cyber losses, insurers have helped raise awareness about IoT cybersecurity, while central governments are becoming increasingly cognizant of the role they need to play in stemming IoT attacks.

Companies that had previously tailored their IoT risk management to a given geography, product or business unit are also thinking again, given the scope for one event to stall their entire production or trigger costly lawsuits.

However, board level buy-in to cyber risk management in general has yet to become universal, a deficit that initiatives like the UK’s proposed Cyber Governance Code of Practice aims to address.

Robust Cyber Risk Mitigation

In addition, too many cyber insurance policies remain once-and-done annual transactions that may not be appropriate for the changing risk landscape. Insureds should consult with their insurance brokers to identify policies that offer threat intelligence, personalized alerts, and risk management resources, including access to third-party vendors and guidance on how to prioritize cybersecurity investments. Security starts not with technology but with human behavior, so having a robust cyber risk mitigation process in place is key.

The relative dangers of IoT vary by industry but recent incidents underline the importance of all companies addressing this technology as an integral part of overall risk management. At its most effective, this will be underpinned by an insurance policy that actively strives to keep insureds and their customers safe.

Related:

Topics
Cyber

Was this article valuable?

Here are more articles you may enjoy.

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts