March 29, 2019 By Sue Poremba 4 min read

Who doesn’t love new technology, especially when it promises to make tasks easier and improve productivity? That eagerness to add new technology — something IT staff often encourages security leadership to do — has led to the digital transformation, the use of digital technology to solve problems. Smartphones, tablets and cloud computing have been leading the way in the workplace’s digital makeover, but the growing popularity of the internet of things (IoT) could totally change the look of IT infrastructure.

However, digital transformation isn’t all fun and games for security staff. While security teams may enjoy new technology, it can also add cybersecurity complications, particularly when these technologies share an infrastructure.

The PCI-Compliant Vending Machine

During his keynote address at CPX 360 in February, Jeff Schwartz, vice president of North American engineering at Check Point, told a story of the upgraded break room vending machine. Because fewer people carry paper money or loose change, a company decides to upgrade its snack machine to take credit cards. That’s great news for the employee who wants his or her 3 p.m. chip fix but only uses plastic to pay.

However, as Schwartz pointed out, now that the vending machine accepts credit cards, it must follow payment card industry (PCI) compliance standards. If that gets overlooked, the vending machine could end up costing the company in fines. The vending machine will also be hooked up to the internet so it can process the transactions. Now it is at risk of being hacked. If the vending machine is hacked, it opens a door for threat actors to enter your network.

So, what initially looked like a convenience turned into a security headache. With the growth of the IoT and digital transformation, expect this to become a burgeoning risk vector. As Schwartz told his audience, shared resources and IT infrastructure create more opportunities to lose data.

Increased Reliance on Technology Impacts Risk

Simply put, new technology almost always has an impact on risk. New endpoints offer new potential openings for threat actors to exploit. That’s not saying that we don’t need or want the technology; instead, to better secure networks and data, we need to better understand what’s going on with those new endpoints.

With the IoT, devices, appliances and machinery we once never gave a second thought to are all now connected to the internet — but what do you know about that connectivity? New elevators are now smart elevators, for example, so not only are they adding another endpoint to your network, they are also collecting data.

A device such as an elevator is likely controlled by a third party, meaning that they also have access to the network and data. If the building is shared by a dozen companies, you add in a mixture of data and networks. Who is in charge of the security for the elevator? Who is responsible for the data collected and its protection? What do you know about the elevator company’s security practices? Did you even think you had to worry about the elevator?

Be Mindful of Customer Data

Digital transformation is accomplished not just with business efficiency in mind, but also for customer convenience. In fact, your customers want an easier interaction with your company, and that often comes through technologies such as artificial intelligence (AI), machine learning (ML) and the IoT. Customer-facing AI, such as chatbots, can improve customer communications, for example.

“Customer expectations are far exceeding what you can really do,” George Westerman, principal research scientist with the MIT Sloan Initiative on the Digital Economy, told CIO. “That means a fundamental rethinking about what we do with technology in organizations.”

So, yes, customers have high expectations for the technology your company uses to facilitate better consumer relationships. However, thanks to high-profile data breaches and increasing awareness about data privacy regulations, customers also want to make sure their data is safe. In fact, Schwartz noted in his speech that you shouldn’t be surprised if consumers begin to make their purchasing decisions based on the way your company collects, uses and stores customer data.

Are You in Control of Your IT Infrastructure?

This takes us back to shared IT infrastructure. It isn’t a matter of knowing what endpoints are on the network and collecting data, but how those endpoints have shifted as technology shifts. Having a coffee pot operated by an app is a great convenience for your staff, but how does that impact data gathering? Same with that chatbot: It is certainly a convenient and perhaps cost-efficient way to build customer relations, but your security team better know how the conversations are collected and how the company uses that data or it could turn into a privacy nightmare.

We are still learning how much information sharing is happening on some infrastructures. For example, a smart TV may be an excellent way for an organization to view sensitive corporate or consumer (e.g., a patient in a hospital room) information, but at the same time, employees (or that patient) could use that same TV to tune into their Netflix or Hulu account during their lunch break. Suddenly, you have corporate data mingling with personal data. If it turns out that Netflix is the victim of a data breach, that sensitive corporate data is now at risk.

The more common the IoT and other emerging technologies become in the workplace, the more chief information security officers (CISOs), IT leaders and other decision-makers will need to consider the overall impact of every device using that IT infrastructure. It isn’t a matter of what is connected to your network, but how it is connected and whether you are able to control that connection’s security.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today