A simple search on an Internet search engine for “Internet of Things” (IoT) yields 21,800,000 results. Despite all of the available information on the IoT, do we really understand the implications of the rapid expansion of the IoT?
Source: Business Insider and India Times
There will be between 25 billion and 50 billion connected devices by the year 2020. The benefits created by the rapid advancements of IoT technologies are widely published and focus on how it might make lives easier, removing the need for humans to conduct some remedial tasks. Imagine a world where the following actions happen automatically:
I conducted a workshop on cybersecurity risk assessment for several directors managing application portfolios in a large global financial firm. One of the senior directors who managed the mainframe systems asked me directly, “I manage the mainframe systems that are purely internal. How is cybersecurity even relevant to me?” I was hardly surprised and said silently to myself, “Here we go again.”
Cybersecurity is now a common buzzword, so one would think the meaning should be obvious and globally common. However, it is far from being clearly understood, let alone standardized. The good news is that cybersecurity is perceived as something essential that has a significant impact on business or government. We only need to figure out what exactly it means.
Working with risk assessments and risk management is a challenging job. Everyone has an opinion, and there is no single outcome. Things change over time, and changing threat landscapes will influence the assessment and make it necessary to revisit the assessment again.
The area of risk assessments is covered by multiple theories and frameworks, which are no doubt scientifically well-founded but, at the same time, are difficult to make operational in a changing environment. We cannot gather all relevant stakeholders to update assessments quarterly.
What we can do is focus efforts on the critical assets top-down and keep these in mind when vulnerabilities and threats are identified. We can also make ad hoc assessments using the bottom-up methods when involved in projects and when asked to comment on new initiatives.
Many of the problems computer auditors deal with are ethical in nature. Post-contract and post-implementation problems are cases in point. Unfortunately, we are unaware or ignorant of this aspect of many problems. Consequently, we can reach only a partial solution at best. Such a solution will eventually blow up; then the professional’s future and company’s reputation and prosperity may be ruined.
Ideally, solutions sought are not only technically efficient, financially viable and legally admissible, but also ethically acceptable, socially desirable and ecologically sustainable. To this end, we need not only the technical know-how (auditing and IT knowledge and skills) and a deep understanding of the common ethical principles (called requisite competence), but also a shift of the conception of risk and a new tool for decision analysis due to the so-called misinterpretation of risk and the flawed education across science and technology (called additive).
It seems like every day there is a new data breach or heist. Hackers break into corporate or government computers and swipe names, addresses, birth dates and those all-important US Social Security numbers. Consider these recent breaches:
My recent Journal article focuses on Windows computers with an emphasis on all nonserver Windows computers. This includes Windows end-user devices, such as workstations, desktops, laptops, hybrids and tablets. Workstations are just as important to the security of an organization as servers. Of course, an insecure workstation only directly impacts one user (in most cases), while a server can impact thousands. But all of the biggest breaches in recent times have started with a compromised workstation, not a server. Even though servers and workstations run essentially the same Windows operating system, securing workstations is very different than servers.