While cyber security needs round-the-clock consideration, the process of mitigating risk should not be onerous, but rather positive. These risk assessments are about being prepared to meet the challenges as they happen, rather than having to take remedial action later down the line.
Matthew Margetts, Director of Sales and Marketing at IoT company Smarter Technologies, explains the importance of IoT risk assessments.
The Internet of Things (IoT) is a phrase that communicates the positive power of technology in the home or workplace, and the ability to take control to direct an outcome remotely. From switching heating controls to flushing toilets and replenishing items, the IoT automates, optimises, and controls both simple and complex day-to-day tasks.
But what if the control is hijacked by someone unknown, operating at a distance with a dark motive?
Matthew said, “as a manufacturer of remote monitoring and control equipment, I was recently asked about security to prevent third-party attacks along with the security audits we support and sponsor. At this point, it must be noted that we use a radio spectrum that is not truly the ‘Internet of Things', but we are lumped into that category. But the principle of security is the same: one must undertake a risk assessment on any equipment being introduced.”
At a minimum, a risk assessment should cover:
In 99 per cent of cases, the risk is minimal as the data flow is linear, heavily encrypted, backed up, and the monitors do not affect the operation of the underlying equipment.
Where a device can take control, such as in an auto flush system or entry door control mechanism, clearly, the operational software and device firmware need to be understood, and, at minimum, meet UK standards. Further, the operational protocols need to include provisions for if the equipment malfunctions, how that is captured and remedied. If people get locked in a revolving door, for example, you need definitive, easily accessible information on how to get them out.
Matthew added, “IoT risk assessments are not onerous. I believe that conducting a risk assessment allows the client to look at the operations of a property or unit independently of the IT piece. This presents an opportunity to consider separate systems and outcomes. Importantly, the client considers how they act on the data they are capturing, ensuring that the patterns that are revealed are understood and that the associated benefits can be harnessed across the organisation.”
Cyber security is a 24/7 consideration, but the process of mitigating risk should be a positive experience. It is about being prepared and ready to meet the challenges rather than having to take remedial action.