Your advice isn't too different than what cybersecurity experts have been saying for years.
That's true. It's just the risk is even greater. Now [hackers] aren't just looking at your individual PC, they're looking at all of your personal property.
It's not necessarily about taking control of your IoT devices, your home heating system, your alarm system?
No. That's been the real mindset change in cybersecurity in the last three to four years. It's no longer about inconvenience. It's no longer DoS attacks that are occurring. It's 100 percent based on financial gain. Everything now is to get your identity, to get financial information, and to steal your identity to get more money. It's a multi-trillion dollar industry today.
What does the IoT mean for corporations, for CIOs and other enterprise security personnel? Do they need to think about how IoT affects their organizations?
It's definitely an enterprise issue, just the same way as BYOD is an enterprise issue. Everybody now is accessing their corporate environment through their consumer systems. I'm going to have my mobile device, my phone, my tablet, my laptop, at my home on my network that can be easily breached. Just like Target was hacked through its HVAC company, somebody else can get into a user's environment and get into corporate data. So absolutely, CIOs need to always look at the weakest link.
What can CIOs do to protect themselves and their organizations?
Proactive segmentation of consumer-based devices from the enterprise network is the primary means. You do that through the implementation of MDM solutions, or MAM, mobile application management, solutions that allow you to create individual partitions on the user's device so that you can segment your applications and data and network access, to allow only authorized segments of the consumer mobile solution. Development of VPN configurations, tightening down, and rather than concentrating on perimeter security, concentrate on application security. A more application-centric approach, application firewalls, application scanning.
Does it fall on CIOs and IT to educate users about the risk of these new IoT and connected home devices?
Yes. The number one proactive means of securing any type of environment is through user training and education. Not only what to what to do, but why to do it, so they understand the risk.
A lot of these things, again, really apply to mobile device security in general. They're not necessarily specific to IoT. It doesn't sound like a company that is already security conscious really needs to do anything different to address IoT.
That's correct. The problem is the threat footprint just continues to grow. I can no longer concentration on the users' individual cell phones. I have to concentrate on phones, tablets, PCs, their Wi-Fi network at home, their firewall at home, on their consumer-grade controllers, these "Internetable" devices.
Sign up for CIO Asia eNewsletters.