The last decade has seen unprecedented development of the Internet of Things (IoT) landscape, enabled by new distributed network technologies. McKinsey estimates that by 2025, the world will own 50 billion networked devices, up 400% from 2010, and contributing US$11 trillion (€10 trillion) to economies.
While this proliferation of IoT devices in recent years has created exciting opportunities for businesses, governments and individual consumers, it has created new risks which require mitigation. With such rapid development and implementation of IoT technologies, threats and attacks are a clear concern for individuals as well as organisations globally.
Andrea Gaglione, IoT expert and technology lead at Brit Insurance, examines the potential risks of IoT and his colleague, cyber underwriter Ben Maidment identifies the steps that users, developers and insurers can take to protect themselves from these.
What are the risks?
Crucially, the understanding of the risks and potential cyber vulnerabilities associated with IoT is still evolving – and in order to implement mitigation measures and solutions, these potential risks must be identified. Unfortunately, in many cases, it is increasingly becoming clear that these weak points are only identified after a breach or cyber-attack has taken place.
- Data loss
Security and cyber threats grow exponentially according to the size of the potential ‘attack surface’ and network entry points, something IoT systems therefore are particularly susceptible to. Recent data shows that 26.66 billion IoT devices were active in 2019 and 127 new devices are being connected to the internet every second.
As this scales up, the key challenge is the management and protection of all the data that IoT devices capture, use and transmit, especially in light of recent high-profile data breaches and the punitive fines associated with GDPR (General Data Protection Rules) regulation. A primary concern, as with most cyber risks, is the loss or compromise of data, especially customer and personal data. Examples of IoT devices collecting large amounts of personal data which may be particularly vulnerable include smart wearables which monitor, collect and transmit health data.
- Business disruption and interruption
As supply chains and business processes become more reliant on networked devices to achieve greater efficiency, companies are more at risk of attack. Significant business interruption, through devices being taken offline by a hack can result in a significant loss in revenue in the short term, as well as reputation and trust in the longer term.
In addition to exploiting IoT device vulnerability to enter a network, bad actors can also utilise a series of unsecured IoT devices to divert data and launch Distributed Denial of Service (DDoS) attacks. In 2016, bad actors compromised more than 25,000 digital video recorders and CCTV cameras, diverting their data in order to launch a DDoS attack that brought down the servers of Dyn, a major US DNS provider, which triggered internet outages in the US and Europe bringing down high-profile websites such as Twitter, Netflix, GitHub, and Reddit.
- Cyber physical
Finally, an emerging risk of IoT (and indeed cyber more broadly) is that of cyber physical, whereby a cyber-attack can result in physical damage. This can range from networked medical devices such as pacemakers, to self-driving cars or expensive industrial processes. A malicious hack of these devices, taking control of these activities could lead to costly and potentially physical damage or danger to life. For example, last year the US Food and Drug Administration issued an alert warning that some insulin pumps are vulnerable to hackers, who could remotely gain access to and potentially change the pump’s settings.
How can we mitigate the risk?
- Security & privacy by design
So far, for IoT manufacturers there has been a perceived compromise between the speed of bringing a product to market and the robustness and security of the system. As we have seen with the first wave of IoT, security wasn’t considered a priority requirement, however, we have seen a growing focus on privacy following high profile data breaches and new data regulation.
In our view, security should be paramount in the design of new IoT devices, and continuous measures must be put in place to maintain and improve the security of both new and existing devices.
- Best practice cyber security
Users themselves, whether individuals, companies or the public sector have a responsibility to adopt best practice when it comes to cyber perils, and awareness and education is critical. Organisations need to balance the desire for the connectivity and efficiency that IoT technologies offer, with the risks that such connectivity creates, particularly given the lack of emphasis on security in the development of such products.
In the same way as they would manage a traditional operating system, individuals should play an active role in shaping company policy on IoT and be responsible and up to date on the threats facing their businesses. Many of these measures have become second nature in traditional IT but are slowly being adopted and considered when considering IoT devices.
Simple steps that users can take to reduce risk (and limit liability in the event of a cyber incident) include: using strong passwords and security keys, updated regularly; monitoring devices and systems to detect and respond to security events, and; continuously updating security of devices with the download of software patches from the manufacturers.
What solutions does insurance provide?
Insurers have a crucial role in mitigating these risks through educating companies to minimise the risks and provide financial and other support should IoT devices be compromised and result in business interruption, physical damage or the theft of data.
Cyber insurance policies can cover the first-party and third-party financial and reputational costs if data or systems have been stolen, damaged or compromised. First party cover includes the cost of investigating and recovering from a cybercrime, from loss of income incurred by a business interruption, reputational rehabilitation and management to extortion payments paid to hackers. Third-party coverage includes damages and settlements, and the cost of legally defending yourself against fines resulting from a breach.
The best forms of cyber insurance are not just a product, but a service which helps to move companies further along the path to compliance and minimise their exposure to risk. An increasing number of insurers – including Brit – offer a number of pre-cyber incident services as part of their policies: clients can have access to online portals which include procedures and plans which can be implemented to lower risks, incident response planning material and check lists for readiness.
The authors are Andrea Gaglione, technology lead and Ben Maidment, cyber class underwriter at Brit Insurance.