According to Jennie Vickers, businesses in NZ that hold sensitive data need to have an urgent think about all their devices and data – whether they’ll be going to the beach this summer or staying home.
Identifying the Problem
We need to talk about digital devices and we need to talk now. With mere weeks left before we stop for our annual Kiwi vacation, we are heading into yet another perfect storm. This time we will see the pressure growing from:
- A workforce wearier than ever before and needing downtime;
- Kiwis being one of the most trusting nations in the world and vulnerable as a result;
- More IOT devices ready to chat to the internet, at home when you are not;
- More NZ kids with digital savvy and smarts than ever before;
- More pressure on internet plans (if and when caps go back on) and then more reliance on free wifi, when the family moves away from the secure home plan;
- Screen time for non-work activities soaring along with a desire to access more esoteric sites; and
- Continuing digital poverty which means that the only device in a household, may be owned by your business.
In this storm we could be at risk of increasingly successful hacks, more ransomware demands and operational equipment being operated by the unauthorised.
This is not a new concern but the ramifications are growing. During the (New Zealand Defence Industry Association hosted) Information Domain Engagement Acceleration Summit (IDEAS) 2020 last year, the concept of the age of “cy-phy” – the convergence of cyber space with a plethora of devices and data in our physical spaces – was a hot topic.
The scale of the risk potential
Chuck Brooks, writing in Forbes Magazine earlier this year, notes that:
“Cyber-physical systems (OT/IT) and the integrations of millions of devices in our lives has created a IoT cybersecurity challenge for people, business, and governments. As IoT devices store, transmit and process so much essential data every day, they serve as the perfect target for cyber criminals. Each IoT device represents an attack surface that can be an avenue into your data for hackers,” …by 2025, “it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices.” Continuing a pace, “127 new devices connect to the internet every second.”
This combination of reality and risk factors (including your own staff) does mean a dilemma for Kiwi businesses that they need to consider now in good time before the break.
“Device Decision” Time
I have just started reading an excellent book called Hard Decisions Made Easy by Paul Gordon CEO of Catalyze APAC. Paul’s P5 decision model from the book provides a very useful framework for making the right Device Decision quickly:
The underpinning principles also all make sense as part of your Device Decision: Process before content; Academic rigour; Active stakeholder participation; and intangible and tangible value.
An informed risk management discussion will include identifying the scale of the problem and the decisions you need to make and you will need to find answers to questions including:
- How many devices does your business own?
- Where are all the devices located?
- Are employees permitted (or do they as a matter of practice) use business devices for non-work activity?
- Do your staff need to stay connected with the business and all your precious data over the holiday?
- Does your business require staff/contractors to use their own devices for your work and how do you feel about your data going off on holiday with them?
- Is anyone leaving your employment pre or post holidays, who has devices that need to be retrieved at some time?
- How many of your devices can access (legitimately or otherwise) any of your Operational Technology (OT)?
- How are you going to be managing and considering the wellbeing of your staff in making holiday device management decisions?
- Who should be part of the decision making and who is going to be impacted adversely?
- Do you have budget to go and buy spare basic devices to give to employees to use, so they can leave work devices at work, but still remain connected?
This is not just a business problem
For individuals, many of whom own multiple connected IOT devices, your normal holiday “To Do List” now also needs to include a few new items:
- Count your IOT devices and make a specific security policy around each one: home heating and ventilation, door opening electronic systems, baby webcams, smart fridges and TVs;
- If you have no home device and safety policy, put a simple one in place and make decisions about:
- Use of public wifi by the family or ban it and increase mobile plan capacity;
- Setting up Multi Factor Authentication where possible;
- Removal of all apps from own device, that are there to be used to do work, for the duration;
- Change all your passwords before you go away and install a password vault to keep them safe;
- And…. if you are in that position at work…say yes to the CISO’s project funding request for more nextgen Firewalls, Secure SD-WAN and proper endpoint protection!
The global economy needs shoppers and retailers to shop and sell with confidence
Surfing the sales and online shopping will be on my list for the holiday. New Zealand retailers will be anxiously awaiting the holiday surfers. Reading the recent blogs discussing Black Friday and Cyber Monday risks provides cautionary tales and timely warnings for consumers and retailers alike.
Writing in the Fortinet CISO Collective Blog about retail risks, Courtney Radke says:
Bottom line, steps need to be taken by retailers to protect their consumers and their brand from harm. Security needs to span the entire digital attack surface and all edges and data must be protected during this season, as retailers face an increasing number of challenges from the traditional to the more advanced. So, while the holidays are a busy and exhausting time in retail, by working smart and maximizing the technology and partnerships you have in place, the season can be safe and successful for everyone.”
“Prepare Now,” said Phil Quade in 2019 as Fortinet’s CISO, “We need to recognise the moment: Cy-phy can either become the next wave that overwhelms already-at-the-limit security teams, or it can become an enabler of increased security and better business practices.”
In the past, we knew to consider whether to send work devices on trips outside Australasia. In 2021, we need to learn that a trip to Akaroa or Airlie Beach, could be just as hazardous.
Digital Devices: Will they be the source of pleasure or pain for your business this Christmas holiday?