CIOs need to change their security approach in order to keep up with today's evolving cyber security risks, especially with the advent of the Internet of Things (IoT), asserted Mikko Hypponen, Chief Research Officer for F-Secure.
"Since more devices get connected to the Internet, CIOs need to expand the range of devices they need to monitor and secure. Besides worrying about updating and patching computers and servers, they have to do the same for 'smart' fixtures such as smart lightbulbs and air conditioners."
More time and effort are also required to protect connected devices as they are usually not built with security in mind. Hypponen said: "Security is not a main feature or the selling point for IoT devices made by non-IT companies - for example, a smart TV by a TV vendor will focus on the size of the TV and its resolution instead of virtual private network or safe storage features. Hence, such vendors will less likely to invest in things like security to offer connected devices to consumers at an affordable price. Moreover, you can't secure IoT devices the same way as traditional computers - for example, you can't run antivirus software on a connected toaster — so CIOs will need to think differently about securing those devices."
To overcome this problem, Hypponen advised CIOs to first have a backup strategy to ensure that their systems are always available and that data can be recovered if needed. Thereafter, CIOs should ensure that IT systems across the organisation are constantly updated and (software) vulnerabilities are patched.
Only when these two steps are in order should CIOs think about what security solutions to deploy. "There's a wide range of systems starting from traditional antivirus and spam, going all the way to intrusion detection and advanced APT solutions. So CIOs have to balance their investment in security with their threat model. Since there is no one-size-fits-all threat model, CIOs need to think of what data is valuable to their company and who will be after that data. This will help them channel their [security] investment to the right place," said Hypponen.
However, CIOs need to understand that there are always loopholes in security. "There's no 100 percent security in anything as systems are built by people and people make mistakes. Hence, end users should be educated on the risks posed by IoT devices and how they can help mitigate those risks."
"For instance, IT teams could educate end users how hackers could exploit a software vulnerability in connected devices such as smart lightbulbs to steal the office's Wi-Fi password to enter the corporate network. End users should also be encouraged to encrypt their data so that outsiders/hackers can't access that data even if they were to get their hands on it."
Sign up for CIO Asia eNewsletters.