Reflections on information security for homes and businesses during Cybersecurity Month (and every month)
I recently bought a new freezer.
My family and I live on a gentleman’s farm, and after sharing with friends and family, we still often have surplus milk, eggs and vegetables that we freeze in the summer to enjoy later in the winter. Now, this isn’t just any freezer – it’s a “smart” freezer, allowing me to digitally track its contents and receive notifications when temperatures get too high or too low, even when I’m away on vacation. But to do so, it has to be connected to the internet, placing it in a category called the Internet of Things (IoT), meaning it is one of 11 billion devices (not counting computers or phones) wirelessly connected to the internet all over the world today.
Smart vs. secure
Smart devices don’t stop at freezers – light bulbs, lamps, picture frames, and other home and business equipment is getting connected. By 2020, that number is projected to jump to 200 billion devices – roughly 26 connected devices per person. These are great innovations, right?
For the most part. See, I understand the risks inherent in connecting my freezer (and its temperature data) to my home network via the internet. Even with the right information security protocols in place at my home (like complex passwords, secure connections, firewalls, and so on), I understand there is some degree of risk of that information being stolen. I don’t like it, but I am OK with it because the data isn’t critical, I have safeguards, and I know what to do if it happens.
Today, the benefits of innovations are at odds with security. The internet was designed to share information, not protect it. Its fundamental infrastructure was built for researchers at colleges and universities around the world to communicate and provide access to data. While significant improvements have happened over the last 20 years in security, so have new opportunities for hackers or other bad actors to take advantage of it. The billions of connected things are often connected to other things, including critical data belonging to people and businesses that don’t know how to manage them, thwart threats, or identify the inherent vulnerabilities that exist when technology moves at the speed it does today. One log in to an unsecured network (think of the free, unsecured internet access you use at your favorite coffee shop, for example) could give a smart and motivated person with basic tech skills access to your cell phone and everything connected to it: bank accounts, saved passwords, social media platforms, documents stored in the cloud, your baby monitor, and yes, even my new freezer.
Scarier than Halloween?
October is Cybersecurity Month, a fun coincidence given that the spookiest holiday of the year falls in the same month. It is a fitting theme for the terror that can come from an information security breach. Many businesses never recover from a data security breach due to the expense and hit to their reputations. You want to have someone who knows this topic inside-and-out handling this for your company. It’s a full-time effort, and typically out of the comfort zone of a company’s IT department, which is where this task usually falls.
How can you protect yourself from virtual tricksters who would like nothing more than to help themselves to your data-filled treat dish? By implementing a Managed Information Security Program (MISP). It’s not a product or a single piece of software. It is an overarching, continuous set of processes, checks, and balances that address each aspect around how you and your company collects, stores, protects and shares data that has value to you or your clients. Being proactive is a lot less expensive, less stressful, and less scary than a cybersecurity nightmare.
Jason Golden is chief information security officer at Mainstay Technologies, an IT and Cybersecurity firm that serves businesses throughout northern New England.