Internet of Things - mitigating the Human Cyber Risk

10 February 2020

As both recent media coverage and our own experience reveals, the number of successful cyber-attacks on organisations is not decreasing. Generally, within the financial services sector, the intended consequence of a cyber-attack is to directly or indirectly extract money from the organisation. A successful Cyber Attack has been a contributory factor to large fines imposed under the GDPR, and industry regulators continue to raise the bar on expectations on how cyber risk is managed. The pressure to maintain an effective Cyber Security posture has never been higher.

The Internet of Things (IoT), which is a talking point everywhere, presents itself as the next frontier of risk for business and the domestic market. Symantec estimates device adoption will increase rapidly from 10 billion devices in 2017 to over 26 billion devices by the end of 2020.

Devices such as automotive telematics, smart home networks and health monitors can transfer huge volumes of data to their providers or third parties - whether for real-time analysis or to automatically trigger response - and have already disrupted traditional insurance business models in terms of how risk is underwritten and priced, providing ongoing opportunity for new insurance models with associated competitive advantage. This disruption is only likely to increase.

The risks associated with IoT devices is well understood amongst Cyber professionals, but not necessarily amongst consumers. Issues range from poor access controls to security related software vulnerabilities that provide unauthorised access to sensitive controls and data. Given that these devices find themselves pivoting between business and domestic markets, the risk exposure to the customer can also be transferred to the business environment. Given the expected dramatic increase in IoT devices, we can also expect an increase in the number of cyber-attacks on IoT connected devices, with the most concerning attacks being on IoT connected medical devices.

It is not all hopeless, as we are seeing organisations improve their overall cyber posture through the implementation of Security Operating Centres, which provide sophisticated security incident and event management coupled with detailed incident response.  It is key to be mindful that the risk landscape constantly changes, and cyber attackers will attempt to stay ahead. They will continue to seek methods to bypass the controls we implement and one component that will never change is that they will always look to target the human element of the control.

As controls become stronger, it is essential to focus on the human element of the risk, whether it be lack of awareness within the workforce or opportunities for hackers to engage willing employees in malicious attacks.

There is no doubt that investing in training and mentoring resources aids in helping to create an effective cyber defence.  Research shows us that over 40% of cyber vulnerabilities are directly linked to employee behaviour and therefore it is critical that organisations put more focus on training their employees. This can be achieved via cybersecurity awareness, education and training. Time and time again, we are reminded that actual simulation training enables the employee to better protect their vital digital assets.

A consistent message, often ignored, is to therefore establish and maintain a culture of employee cyber threat awareness and to invest in the human aspect of cyber security. It’s an investment worth making and will make a significant contribution to an organisation’s cyber risk mitigation strategy.

 If you have any questions, please do not hesitate to contact  Steve Dellow.