Yes, these are really things to consider, and the risk depends entirely on how they are connected to the internet and/or your network… And these are only a subset of connected devices to consider.
Every day we see new and helpful devices replacing older tools. They help us enjoy a simpler and more connected world. While we understand the risk of connecting a browser to the Internet without protection, we rarely consider the devices using our networks that appear to be isolated – we consider them to be insignificant.
Even seemingly benign tools such as air conditioning, displays and CCTV can access the network. Most of these tools fall into the category of OT (Operational Technology) and need to be protected. Whilst advice on OT can be confusing, many now acknowledge this as a potential back door that needs to be taken seriously.
Like shadow IT, people often add connected devices into the network without communicating these changes, and in most cases, they are connected via Wi-Fi. A simple example would be a google Alexa device on a desk or in a meeting room.
In doing nothing to secure these devices, businesses risk damaging the trust of their customers, staff and stakeholders. These risks need to be balanced with the challenges of limited budgets, diverse competition and the need to meet regulatory compliance.
One good step forward is to assess your cybersecurity capability as it stands today to see if you meet your compliance requirements and can identify and prioritise any gaps before you invest.
You can then make informed decisions and implement the right measures to mitigate the impact of a cyber event. This also helps identify other possible risks that could impact your organisation- this may be as simple as a hardware failure.
Why consider OT as a part of your cybersecurity strategy?
The evolving threat landscape: Extortion Engineers are focused monetising their actions. They exploit new vulnerabilities that happen as software becomes more complex creating undocumented gaps.
Protect data: As we move to the cloud, data resides outside of your control and the concentration of data in the cloud makes it a significant target.
Visibility: In most cases breaches are not seen until payment is requested, this can have significant implications for the impacted organisation
Compliance: Many industries have defined regulations for data protection and privacy. Compliance is essential as penalties can be severe and can impact your brand, customers’ trust and stakeholders/investors
Post COVID many organisations face tighter budgets. This can mean a reduction in cybersecurity investment and can drive the following risks.
Lack of expertise and resources: Limited internal cybersecurity experienced staff to address the many entry points into your business.
Budget limitations: The share of funds allocated to cybersecurity tools and training competing with other business prerogatives for budget
Lack of integration and automation: Traditional cybersecurity tools may not see the new threats or allow for automation to ward off cyberattacks.
What does a risk assessment do for me?
Risk assessments identify and evaluate what could impact your data, users, assets and services. It can also quantify risks so you can prioritise corrective actions. The key components are:
- How you connect and communicate: What can be targeted
- Identifying risk: Quantify your risks
- Identify gaps: Identify what could be exploited
- Impact assessment: What could happen
- Prioritise remediations: Rate your exposure you focus on the real problems
- Remediation options: What can be done
- Compensatory exposure: What is at risk but cannot be dealt with
- Human factor: How to engage your people to further reduce your risk