Who doesn’t love new technology, especially when it promises to make tasks easier and improve productivity? That eagerness to add new technology — something IT staff often encourages security leadership to do — has led to the digital transformation, the use of digital technology to solve problems. Smartphones, tablets and cloud computing have been leading the way in the workplace’s digital makeover, but the growing popularity of the internet of things (IoT) could totally change the look of IT infrastructure.
However, digital transformation isn’t all fun and games for security staff. While security teams may enjoy new technology, it can also add cybersecurity complications, particularly when these technologies share an infrastructure.
The PCI-Compliant Vending Machine
During his keynote address at CPX 360 in February, Jeff Schwartz, vice president of North American engineering at Check Point, told a story of the upgraded break room vending machine. Because fewer people carry paper money or loose change, a company decides to upgrade its snack machine to take credit cards. That’s great news for the employee who wants his or her 3 p.m. chip fix but only uses plastic to pay.
However, as Schwartz pointed out, now that the vending machine accepts credit cards, it must follow payment card industry (PCI) compliance standards. If that gets overlooked, the vending machine could end up costing the company in fines. The vending machine will also be hooked up to the internet so it can process the transactions. Now it is at risk of being hacked. If the vending machine is hacked, it opens a door for threat actors to enter your network.
So, what initially looked like a convenience turned into a security headache. With the growth of the IoT and digital transformation, expect this to become a burgeoning risk vector. As Schwartz told his audience, shared resources and IT infrastructure create more opportunities to lose data.
Increased Reliance on Technology Impacts Risk
Simply put, new technology almost always has an impact on risk. New endpoints offer new potential openings for threat actors to exploit. That’s not saying that we don’t need or want the technology; instead, to better secure networks and data, we need to better understand what’s going on with those new endpoints.
With the IoT, devices, appliances and machinery we once never gave a second thought to are all now connected to the internet — but what do you know about that connectivity? New elevators are now smart elevators, for example, so not only are they adding another endpoint to your network, they are also collecting data.
A device such as an elevator is likely controlled by a third party, meaning that they also have access to the network and data. If the building is shared by a dozen companies, you add in a mixture of data and networks. Who is in charge of the security for the elevator? Who is responsible for the data collected and its protection? What do you know about the elevator company’s security practices? Did you even think you had to worry about the elevator?
Be Mindful of Customer Data
Digital transformation is accomplished not just with business efficiency in mind, but also for customer convenience. In fact, your customers want an easier interaction with your company, and that often comes through technologies such as artificial intelligence (AI), machine learning (ML) and the IoT. Customer-facing AI, such as chatbots, can improve customer communications, for example.
“Customer expectations are far exceeding what you can really do,” George Westerman, principal research scientist with the MIT Sloan Initiative on the Digital Economy, told CIO. “That means a fundamental rethinking about what we do with technology in organizations.”
So, yes, customers have high expectations for the technology your company uses to facilitate better consumer relationships. However, thanks to high-profile data breaches and increasing awareness about data privacy regulations, customers also want to make sure their data is safe. In fact, Schwartz noted in his speech that you shouldn’t be surprised if consumers begin to make their purchasing decisions based on the way your company collects, uses and stores customer data.
Are You in Control of Your IT Infrastructure?
This takes us back to shared IT infrastructure. It isn’t a matter of knowing what endpoints are on the network and collecting data, but how those endpoints have shifted as technology shifts. Having a coffee pot operated by an app is a great convenience for your staff, but how does that impact data gathering? Same with that chatbot: It is certainly a convenient and perhaps cost-efficient way to build customer relations, but your security team better know how the conversations are collected and how the company uses that data or it could turn into a privacy nightmare.
We are still learning how much information sharing is happening on some infrastructures. For example, a smart TV may be an excellent way for an organization to view sensitive corporate or consumer (e.g., a patient in a hospital room) information, but at the same time, employees (or that patient) could use that same TV to tune into their Netflix or Hulu account during their lunch break. Suddenly, you have corporate data mingling with personal data. If it turns out that Netflix is the victim of a data breach, that sensitive corporate data is now at risk.
The more common the IoT and other emerging technologies become in the workplace, the more chief information security officers (CISOs), IT leaders and other decision-makers will need to consider the overall impact of every device using that IT infrastructure. It isn’t a matter of what is connected to your network, but how it is connected and whether you are able to control that connection’s security.