You sit there thinking about the impossible task of getting “the C suite” to take responsibility for information security.
Well, our task just got easier. How, you ask?!? Bring it to their home.
Try googling “internet connected bottle of scotch”. Then tell me that our “Society of Surveillance” isn’t going to massively disrupt our framework for how we secure our organizations.
Here’s a couple of random examples about how this massive disruption will be executed by “bad actors”…
- A GPS device is planted on the automobile of a senior executive of a nuclear power plant
- Malware on a board member’s phone silently enabled the microphone & recorded a closed-door board-of-directors’ meeting.
- NFL draft room… Someone plugs in the charger for their PC. But, it’s not just a charger. It’s retrofitted with a mic & a 4G radio. It was cleverly swapped a few weeks ago at a coffee shop.
- Keystrokes from a wireless keyboard from intercepted from nearby. The whiz-kid who just joined your legal team? He gets a txt msg, “It would be a shame if your employer found out about the website you were on last night. Or the police.”
- Your computer with the wireless mouse can be controlled by a keyboard 500’ away.
- The really nice furnace repair guy with an iPad says, “I need to look up something from the service manual & I can’t get my iPad to connect to AT&T. Can I borrow your wifi password?”
- That Nest thermometer isn’t just an energy saving device. It might double as an early warning system for the two guys who used the IoT garage door opener to take a peek at your home computer.
- Remember Samsung’s warnings that someone might be listening to your every word when there’s a TV in the room?
You thought it was a game changer when you had to worry about a hack while standing in front of Starbucks?
I got news for you. Start worrying about a diaper changer while standing in front of a hacked baby monitor.
It’s time to begin developing an IoT security strategy that specifically protects the individuals in your organization whose knowledge, access, or responsibilities are the most sensitive and/or critical to continuing as an on-going entity. Here’s my short version:
- By their position within your organization, if you don’t have a responsibility to help secure their personal lives (as well as the ones they love), you have a practical duty to protect those aspects of their lives which affect the equity for your owners/shareholders. (There. We put that in terms that leadership can understand.)
- Redefine the new relationship that exists between your organization’s exposures (information security, physical security, fiscal security, & reputation security) and these individuals’ privilege to privacy. Legal & HR will need to be involved in this process, of course.
(In this new world of easy surveillance, let’s have that uncomfortable discussion about whether the “right” to privacy is anything more than an illusion.)
- Forget mobile device management. Implement mobile device security. Mobile anti-malware is a no-brainer necessity for this exclusive group of individuals.
- Device & frequency scanning technology can detect, track & report against all IoT activity in a given area. Then it analyzes against what is normal in that area.
- Add a monitor to these individuals’ home networks that keeps their “connected homes” safer from these new cyber threats.
- Consider outsourcing these counter-surveillance responsibilities a third party that can insulate knowledge about an employee’s personal life from the employment relationship.
If you’re interested, we’d love to tell you how we might help execute a plan for the most critical (and vulnerable) members of your organization. Give us a call or email us… firstname.lastname@example.org