One of the emerging cyber risks is the Internet of Things or IoT, a network of physical objects embedded with sensory devices and connectivity. IoT devices include home alarm systems, medical devices, cameras, cell phones, vehicles, smart cities, buildings, running shoes, refrigerators and even ovens. By 2020, it is expected that over 50 billion connected devices will exist.
IoT devices impact society in a meaningful way. Smart homes and offices can save energy costs by controlling the electricity or temperature when one is away from home or work, and they can offer better security by constant surveillance and taking proactive action in case of a security breach. Smart health devices can improve health care by monitoring patients and remotely administering medication to them, and smart automobiles can request assistance if required or assist in monitoring vehicle speed based on traffic.
Some of the challenges with the IoT include companies that want to get their product out in the market first without necessarily including the best security practices in their products, and patching issues.
Security Risks include unsecured entry points and misuse of personal information and facilitating attacks on other systems. A good example of this is the Dyn cyberattack which took place on October 21, 2016. It involved multiple distributed denial of service attacks targeting DNS provider Dyn. The distributed denial of service attacks were executed through a large number of connected devices such as printers, IP cameras and baby monitors that were infected with malware. Some of the services affected by this attack included Amazon, Airbnb, Grubhub, HBO, Netflix, Overstock.com, PayPal, Twitter, Visa and Walgreens.
Hospitals are one of the most vulnerable business sectors to cyberattacks by way of IoT medical devices. Medical devices and implanted medical devices including cardiac pacemakers, drug administration devices, monitoring devices, as well as infusion pumps, defibrillators and glucometers can have severe effects on health if tampered with by hackers. This is especially troublesome since the method of delivery or monitoring is by a connected device. The risk of cyberattacks is that they can disrupt a functioning hospital by destroying an entire information technology system leaving devastating results to patients.
California recently became the first state with an Internet of Things cybersecurity law. As of January 1st, 2020, any manufacturer of a device that connects to the internet must equip it with reasonable security features designed to prevent unauthorized access. The good news is that the term “connected devices” is broadly defined to include mostly everything connected to the Internet. The not-so-good news is that “reasonable security” is vague and could lead to manufacturers implementing weak security features if it costs less. In any case it is better to have a law than none at all. Also, even though the legislation covers only the state of California, its effects will likely reach much further because of the software used for IoT devices.
Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply with these standards. At that point, other manufacturers will likely implement the same software in their devices because it would be easier to maintain one secure version than having one for California and another one for everywhere else.
IoT devices will continue to evolve and impact our daily lives. These devices benefit society and make it safer but more regulation is needed to prevent hackers especially with billions and billions of connected devices.
She is conversant in various state and federal security and privacy laws and regulations including the HIPAA, PCI DSS, GLBA and GDPR. In her capacity as a senior analyst, she has handled several claims involving news worthy data breaches and is familiar with issues involving cyber liability insurance coverage. She has presented on topics of cyber risk and data security.
Georgea believes in a multidisciplinary approach coordinating with trusted industry experts to respond quickly to the various legal, technical and public relations challenges presented by a data breach. She brings a strong sense of teamwork, innovation and dedication to her clients. With a forward-thinking and strategic approach, Georgea advocates tirelessly to reduce liability and achieve the best possible outcome.