“With great risk comes great reward,” is an oft-used adage, originally spoken by Thomas Jefferson. While offered more than a century before computers were even invented, it rings true in our ever-connected world.
The new frontier is the ‘Internet of Things’ and involves more than just connected devices – it comprises the vast integrated systems that the billions of internet-enabled devices make up. An increasing number of products, companies and networks are collecting and sharing data from more individuals and enterprises than ever before, in the name of greater personalisation, ease, insights, and operational efficiency.
But as several recent high-profile data breaches have shown, this ecosystem is far from impenetrable. Following these large-scale attacks on consumers and corporate data, ISACA’s 2014 IT Risk/Reward Barometer set out to explore the mindsets and behaviours of both consumers and IT/business professionals, looking specifically at their awareness, concerns and reactions to issues related to connected devices.
A number of interesting patterns emerged – from the uncertainty among IT professionals to concerns about the possible effects these technologies will have on our workplace. The business and IT implications for enterprises are significant, particularly among the community of professionals whose duty to safeguard the data their organisations collect is now under even more intense scrutiny.
There are many potential benefits to having more seamlessly connected devices. This includes more personalised consumer experiences; the ability to draw data from various sources to form a more complete picture of a user’s preferences and needs; added convenience when devices can speak directly to each other without the need for a human mediator; as well as increased opportunities for collaboration among different software and device-makers.
Enterprises also have the potential to reap numerous rewards from the Internet of Things: greater efficiency, lower costs, improved services, more accurate supply chain management, greater accessibility to information, increased employee productivity, and increased customer satisfaction.
Recently, one specific subset of connected devices has been receiving increased attention: wearables. Consumer technology companies are introducing increasingly accessible and appealing wearable devices, hoping to encourage wider adoption among the masses. These products do not stand alone either.
Connected devices prove their usefulness by functioning within ecosystems. As an example, this could be a health/fitness armband that can communicate with your smartphone, which can adjust the temperature in your home, can also speak to your smart fridge, plus show notifications on your connected TV!
Within the ISACA research, a desire to realise the benefits of such devices is apparent. But on the flipside, a number of concerns arise that need to be considered when organisations and consumers look to take advantage of the plethora of technology options available today. And these are only set to grow.
BYOD is popular but organisations are not universally prepared
Using a personal mobile phone for work purposes is increasingly the norm – as the recent IT Risk/Reward Barometer shows. Two-thirds of organisations across Australia and New Zealand now allow employees to bring their own device (BYOD) and connect to the company network.
But companies appear to be struggling to keep up. Just over one in ten (12 per cent) Australian and New Zealand organisations do not have a policy around BYOD, opening themselves up to serious business risks. From losing personal devices while at the pub, to stealing a soon-to-be ex-employer’s intellectual property, there are a number of scenarios businesses need to be prepared for. Enterprises need to remember that the insider threat is often more perilous than an attack from the outside.
When asked about the risks of BYOD, the majority of IT professionals in Australasia think the risks and rewards are appropriately balanced (42 per cent); however, a considerable amount believe the risk outweighs the potential benefits (26 per cent).
There are a number of factors companies need to review when deciding what path to take, but the key part is education. For example, making sure users understand how to protect their devices, which can be as simple as using strong passwords. It can also involve regular software updates and ensuring a device has been disconnected and wiped of all company-owned information when an employee leaves the company. But at the heart, it involves a detailed plan and an educated workforce.
When it comes to the next stage of BYOD and wearable technology, the results are very telling. More than half (56 per cent) say their BYOD policy does not address wearable tech, and just six per cent say that their organisations are prepared for the rise of wearable tech. This leaves huge gaps in the security arsenal of major organisations and businesses.
Wearables at work
Google Glass shows the future of wearables and where we might be heading; however, there are numerous examples of where wearables are already in use in the workplace or would be considered for use by Australian workers.
When surveying consumers, the ISACA IT Risk/Reward Barometer found that three quarters of men (75 per cent) would consider using a wearable device at their current workplace. However, there is a definite gender split, as a lesser two-thirds (66 per cent) of women said they would be willing to use wearable technology.
Almost half of all consumers (45 per cent) would consider using an employee access card and one-third (30 per cent) a wireless fitness tracker, but very few would consider wearing smart glasses, such as Google Glass, in their current workplace (12 per cent).
There is also a level of uncertainty among IT professionals about what wearable technology will mean for their organisation. And this is consistent globally, as the 110-country survey of ISACA members, who are business and IT professionals, shows that few IT departments or workplaces in general are ready for the invasion of wearables.
Locally, one in five (19 per cent) ISACA members in Australia and New Zealand believe having wearables in the workplace will have a positive impact on their organisation, and a similar amount believe it will have a negative impact (21 per cent). Likewise, 19 per cent think employees’ use of wearable technology will have no impact – but the largest portion (42 per cent) are unsure of what it will mean for their company.
This can be partly attributed to the lack of information and also the small penetration such devices have in companies. But with the launch of Apple Watch, and a number of new devices on the horizon, it will be an interesting space to watch in the coming year.
IT departments still not ready for the Internet of Things
Another major concern among IT professionals directly links to the Internet of Things and the rise of connected devices. As more items become connected to the internet, from cars to refrigerators and cameras to office swipe cards, the risk they can be attacked increases. Security measures then need to be considered from all aspects – the device itself and everything else that connects to it.
More than one-third (37 per cent) of members in Australia and New Zealand say their organisation has plans now or expects to create plans in the next 12 months to leverage the Internet of Things.
ISACA members are evenly divided as to whether the benefit of the Internet of Things outweighs the risk for enterprises (35 per cent) or the risk outweighs the benefit (33 per cent), and only 35 per cent describe themselves as very concerned, though 51 per cent are somewhat concerned, about the decreasing level of personal privacy.
There is no doubt that the Internet of Things is here, and we are also likely to see a surge in wearable devices in the workplace. These devices can deliver great value, but they can also bring great risk. Companies should take an ‘embrace and educate’ approach to ensure they receive the benefits but also protect themselves from the risks.
Training needed to bridge the gap
It is imperative that everyone who has any form of connection, be it customer, vendor, service provider, staff member or investor, has a critical role in helping information stay secure and private. The time to implement holistic risk management is now.
ISACA recently established the Cybersecurity Nexus (CSX) as a resource that enterprises can turn to for security advice. Cybersecurity as a discipline includes the social environment of people, enterprises and related processes. In addition to other types of risk, social risk primarily arises from people and their behaviour, human factors in IT use, and the emergence of change within the overall system.
Therefore, ongoing training of all employees needs to take place and not become just the domain of the IT team. But to raise awareness of threats within an organisation and drive behaviour changes, cybersecurity professionals should also be skilled at speaking the language of business, understanding their employer’s business strategy and organisational structure, and communicating effectively with employees at all levels in the organisation – from the mailroom to the boardroom. Before we know it, these devices will become so prevalent, and the capabilities so commonplace, that they no longer are described as “smart”.
While the benefits of connected devices and wearables are only set to increase, this needs to be balanced with the potential negative impacts. The key is ensuring we prove Jefferson was correct – and that with the risks of increased technology come a range of great rewards.