The Internet of Things (IoT) is forecast to become a major security risk in 2014 as more products that connect online emerge, according to a predictions report by the Information Security Forum (ISF).
ISF global vice-president, Steve Durbin, said that the rise of technology, which encompasses the diverse collection of non-PC, non-server objects that connect to the Internet, is releasing a “new surge” of opportunities for data gathering, predictive analytics and IT automation.
However, this also means that devices such as smart TVs could act as new attack vectors.
According to Durbin, it should be up to vendors to set security standards for the IoT.
“The security threats are potentially devastating so organisations must ensure that technology for both consumers and companies adhere to high standards of safety and security,” he said.
“As we move into 2014, attacks will continue to become more innovative and sophisticated. Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected, high impact security events.”
Turning to cloud computing, Durbin said that enterprises should “get to grips” with the information security implications before placing data in the cloud.
“All organisations must know whether the data they are holding about an individual is Personally Identifiable Information [PII] and needs protection,” Durbin said.
He warned that different countries’ regulations impose different requirements on whether PII can be transferred across borders.
“Some have no additional requirements while others have detailed regulations. In order to determine what cross-border transfers will occur with a cloud-based system, an organisation needs to determine whether the information will be stored and processed.”
Continuing on the subject of personal information, Durbin said that most governments around the world have created regulations that impose conditions on the use of PII with penalties for organisations that fail to protect it.
Australian Privacy Commissioner, Timothy Pilgrim, is set to get a range ofnew powers in March 2014 when the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 comes into effect.
Under the Bill, which was passed by Parliament in November 2012, Pilgrim will be able to seek civil penalties of up to $340,000 for individuals or up to $1.7 million for companies in the case of a serious breach of privacy.
“Organisations need to treat privacy as both a compliance and business risk issue in order to reduce commercial impacts such as reputational damage due to privacy breaches,” said Durbin.
According to the ISF, the Internet is now a “hunting ground” for criminals, activists and terrorists motivated to make money or bring down government websites through online attacks.
An Indonesian based hacker claimed responsibility for attacking the Australian Federal Police’s website in November. The attack was reportedly a response to media reports that Australian spies tried to listen to the calls of Indonesian president Susilo Bambang Yudhoyono, his wife and senior ministers during 2009.
“Cybercrime, along with the increase in hacktivism, coupled with regulatory requirements can all combine to create the perfect threat storm,” Durbin said.
“Organisations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimising the impact of the unforeseen.”
Bring your own security risk
The ISF has forecast bring your own device (BYOD) as a continuing threat for next year. According to Durbin, this is because risks stem from mismanagement of the smartphone or tablet, external manipulation of software vulnerabilities and the deployment of poorly tested business applications. “If the BYOD risks are too high for your organisation today, stay abreast of developments,” he said.
“If the risks are acceptable, ensure your BYOD program is in place and well structured.”
Durbin warned that if business information is stored unprotected on personal devices, it could result in a company facing accidental disclosures if the device is lost or stolen.