The so-called “internet of things” provides tremendous opportunities for customer convenience and satisfaction that can lead to transformative growth for tech-savvy businesses.
But the heightened risk associated with web-connected products demands risk management that’s carefully designed and carried out, according to a new report, Internet of Things: Risk and Value Considerations, by global IT trade association ISACA.
“Connected devices are everywhere—from obvious ones, like smart watches and internet-enabled cars, to ones most people may not even be aware of, such as smoke detectors,” Robert Stroud, international president of ISACA, said in a news release. “Often, organizations can be using [internet-of-things technology] without even realizing it—which means their risk management stakeholders are not involved and potential attack vectors are going unmonitored.”
“Internet of things” is a term describing any objects that contain networking and computing elements and communicate with other objects over a network. Consumer-use devices that fit this definition include:
- Wearable devices that track wearers’ physical activity.
- Automobiles with computerized navigation, accident prevention, and fuel-efficiency features.
- Biomedical devices such as pacemakers and insulin pumps that can communicate with one another and the outside world.
Industrial devices containing internet-of-things technology may include retail point-of-sale systems, manufacturing industrial control systems, and product-tracking systems that integrate with enterprise resource planning systems.
The industrial uses of internet-of-things technology can lead to significant efficiency improvements, and consumer-focused internet-of-things devices can provide many convenient and helpful features. But the risks can be daunting.
The potential may exist for hackers to interfere with the operations of vehicles, harass children through electronic baby monitors, and even disrupt monitoring systems in airplanes.
With these risks in mind, ISACA’s report says organizations should consider the following questions when considering deploying internet-of-things technology:
- How will the device be used from a business perspective, and what business value is expected?
- What threats are anticipated, and how will they be mitigated?
- Who will have access to the device, and how will their identities be established and proven?
- What is the process for updating the device in the event of an attack or vulnerability?
- Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
- Have risk scenarios been evaluated and compared to anticipated business value?
- What personal information is collected, stored, and/or processed by the internet-of-things device?
- Do the individuals whose information is being collected know that it is being collected, and have they given consent?
- With whom will the data be shared?
Holistic management would take into account both the possible value the technology could create and the possible new risks introduced. And it’s important to consider these areas before adopting this technology, according to the report.
—Ken Tysiac ( ktysiac@aicpa.org ) is a JofA editorial director.
