Internet of Things Toolkit for Small and Medium Businesses

Similar documents
HIPAA Security and Privacy Policies & Procedures

A company built on security

NEN The Education Network

Nine Steps to Smart Security for Small Businesses

Information Security Policy

Information Security Controls Policy

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cyber Security Program

External Supplier Control Obligations. Cyber Security

SECURITY & PRIVACY DOCUMENTATION

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Keys to a more secure data environment

A practical guide to IT security

The Common Controls Framework BY ADOBE

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Critical Information Infrastructure Protection Law

Cyber Risks in the Boardroom Conference

Manchester Metropolitan University Information Security Strategy

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Information Security Controls Policy

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Policy and Procedure: SDM Guidance for HIPAA Business Associates

CYBERSECURITY IN THE INDUSTRIAL INTERNET OF THINGS

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

mhealth SECURITY: STATS AND SOLUTIONS

Cybersecurity Checklist Business Action Items

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

ICT Security Policy. ~ 1 od 21 ~

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Information Technology General Control Review

Information Security in Corporation

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

HELPFUL TIPS: MOBILE DEVICE SECURITY

HIPAA Compliance Checklist

Apex Information Security Policy

Why you should adopt the NIST Cybersecurity Framework

Education Network Security

SECURING DEVICES IN THE INTERNET OF THINGS

CCISO Blueprint v1. EC-Council

LCU Privacy Breach Response Plan

Checklist: Credit Union Information Security and Privacy Policies

Information Security Incident Response Plan

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

QuickBooks Online Security White Paper July 2017

NW NATURAL CYBER SECURITY 2016.JUNE.16

Mobile Data Security Essentials for Your Changing, Growing Workforce

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

The Internet of Things. Presenter: John Balk

PS 176 Removable Media Policy

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Information Security Incident Response Plan

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

What is Penetration Testing?

What It Takes to be a CISO in 2017

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

NRENs and IoT Security: Challenges and Opportunities. Karen O Donoghue TICAL 2018 Cartagena 4 September 2018

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

716 West Ave Austin, TX USA

HIPAA Regulatory Compliance

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Innovation policy for Industry 4.0

INFORMATION ASSET MANAGEMENT POLICY

Heavy Vehicle Cyber Security Bulletin

Cyber Resilience - Protecting your Business 1

Canada Life Cyber Security Statement 2018

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

ISO & ISO & ISO Cloud Documentation Toolkit

INFORMATION SECURITY AND RISK POLICY

Information Security at Veritext Protecting Your Data

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Date Approved: Board of Directors on 7 July 2016

Credit Card Data Compromise: Incident Response Plan

SECURING DEVICES IN THE INTERNET OF THINGS

Cybersecurity. Securely enabling transformation and change

Security Principles for Stratos. Part no. 667/UE/31701/004

EXHIBIT A. - HIPAA Security Assessment Template -

DETAILED POLICY STATEMENT

CYBERSECURITY RISK LOWERING CHECKLIST

Security Policies and Procedures Principles and Practices

Automating the Top 20 CIS Critical Security Controls

CipherCloud CASB+ Connector for ServiceNow

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Cybersecurity Auditing in an Unsecure World

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Vendor Security Questionnaire

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Transcription:

Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses

Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors 2 IoT and the Risks to Information Security 3 IoT and Privacy 4 IoT and Safety 5 IoT and Your Business: A Cyber Security Strategy 5 Step 1: Assess risks 6 Step 2: Identify new legal concerns 6 Step 3: Develop IoT policy 6 Step 4: Implement security measures 7 Step 5: Monitor and update 8 IoT Developers, Manufacturers, Service Providers 9

Introduction The connectivity and automation of the Internet of Things (IoT) can help all business sectors to progress, but it can come with substantial risks. IoT devices connect, communicate, and exchange information via a network, exposing more points of access to the data stored and devices controlled by your network. Cyber security is the key to protecting your small or medium business from possibly devastating cyber incidents. As a small or medium business owner and/or leader, you may think your business is not a target for a cyber incident. However, the IoT increases your exposure to cyber incidents, and the complexity of cyber security. With this guide, you ll learn how the IoT works and where it will have an impact, and the risks related to information security, privacy, and safety. Our five-step cyber security strategy will help you securely implement the IoT into your business, and help you create an IoT security policy to integrate with your existing cyber security policy. IoT security is a shared responsibility between management, IT, and all employees. Along with this guide, the #IoTatWork Toolkit has other resources to share with your business GetCyberSafe.ca. This guide is a companion to the Get Cyber Safe Guide for Small and Medium Businesses and references sections of that Guide for further information. When you see this symbol, please refer to the indicated section of the Get Cyber Safe Guide for Small and Medium Businesses. 1

The Internet of Things The IoT is made up of smart devices that connect and communicate via a network, such as the Internet. IoT devices collect and exchange information through embedded software, cameras, and sensors that detect light, sound, distance, movement, etc. IoT devices can be remote controlled and monitored, but most operate automatically. Some examples of smart devices include appliances, locks, security cameras, manufacturing equipment, and connected cars. The Internet of Everything (IoE) is an extension on the IoT, which encompass a more complex system of machine-to-machine communication as well as with people and process. The IoE is comprised of people, data, processes, and things. The Industrial Internet of Things (IIoT) refers specifically to the integration of IoT technologies, networked sensors, and software into complex physical machinery used in manufacturing, etc. It is also known as the Industrial Internet. Presence of IoT in Business Sectors The IoT is used in a variety of business sectors, from agriculture to healthcare to manufacturing. 2

Some of the main IoT developments include: Retail Automated checkout Inventory and warehouse management Manufacturing Operations efficiencies Asset management and maintenance Consumers Entertainment Health and fitness Offices and Government Productivity and energy saving Security and surveillance Transportation Automation and traffic control Fleet management Healthcare Monitoring Automated administration of treatment IoT and the Risks to Information Security The biggest impediment to businesses implementing IoT is security. IoT risks could have serious consequences on a business s reputation and credibility, could cause a loss of revenue and time, and could lead to legal challenges. IoT devices connect to each other, to your business network and to other devices on that network, back to the IoT supplier, and even to the devices of your customers and employees. Due to such interconnectivity and automation, a cyber incident could affect multiple levels of your business; from the head office, to the supply chain, and even to the customer. 3

Whether a targeted incident on a certain device, or an indirect incident through viral threats like malware, IoT cyber incidents have downstream effects on your IT security which could weaken your entire IT infrastructure. For example, if your business has a fleet of Intelligent Transportation System (ITS) delivery trucks and the developer/manufacturer of the trucks is affected by malware, your connected trucks could be indirectly affected by the malware incident as well. For more information on malware, refer to Web Security Malware. With every connection comes an increase in vulnerability. If you do not control who and what connects to your network you cannot protect the information that traverses it. For more information on information security, refer to Data Security. IoT and Privacy For any cyber incident, IoT-related or not, the risk of theft, exposure, or corruption of information is greatly enhanced. Business, employee, and client information could be destroyed, altered, stolen and exposed, or even held for ransom. IoT devices collect vast amounts of data, which creates concern over the confidentiality, privacy, and integrity of business data. Ensure to use IoT devices that provide transparency on their policies of data collection, such as what information is gathered, how long it is kept, and what it s used for (marketing research, etc.). With the introduction of IoT into the business, you might consider updating your privacy policies. Consider using a professional cyber security organization to help you conduct a privacy impact assessment, develop IoT standards, and define levels of trust for users vs. machines/devices. For example, a trusted user on an untrusted device, should be untrusted and subject to restrictions. Seeking legal assistance can help you understand and reevaluate legal responsibilities and requirements, IoT device privacy statements, and contractual arrangements. Your employees information and privacy could be compromised as well, through personal devices connected to the business network. Employee education and training on the IoT can help protect their privacy. So too can creating an IoT policy, similar to a Bring Your Own Device (BYOD) policy, which addresses network access, permitted devices, passwords, secure sites, etc. For more information on policies, refer to Management Issues Developing Policies and Standards. 4

IoT and Safety When an IoT device controls physical assets and operations, such a smart vehicle or an insulin pump, the threat of a cyber incident extends beyond a breach in information. The unauthorized control or remote takeover of an IoT device could cause physical damage to data and equipment, or even physical harm. These damages are costly, as you seek to recover your systems, assets, and your reputation. For many devices, their operational roles can be far more important than the information they store. Consider the legal and financial impact of a device failing or being manipulated. For more information on safety, refer to Physical security. To protect your equipment, your staff, and your customers, the basic IoT security framework should cover the device, the remote-control element, and the IT infrastructure, and consist of: Secure boot and reset capability Authentication and integrity Encryption Updates Intrusion detection and reporting Remote control and audit Firewall IoT and your Business: a Cyber Security Strategy Implementing new IoT technology requires a step by step, top-down strategy. Our 5-step security strategy covers the essentials of incorporating IoT into your business. This strategy can also be used for all business 5. Monitor and update IT processes and controls, whether networked or not.to learn more about cyber strategies, refer to Management Issues Cyber Security Planning. 4. Implement security measures 1. Assess risks 3. Develop IoT policy 2. Identify legal issues 5

Step 1: Assess risks A thorough risk assessment is the first step to updating security policies. With the IoT, cyber crime could come from new and unexpected places. IoT should be part of your overall risk profile. Conduct a threat and privacy impact assessment, considering how connected objects will interact with each other. Audit apps, devices, networks, databases, and communications protocols. Determine interoperability between those devices that you may already have. What s on your network? How valuable is that information? Who s connected? Identify any vulnerabilities and worst-case scenarios. Step 2: Identify legal issues The introduction of IoT into your business operations presents possible legal issues and concerns. You should be aware of your company s legal responsibilities in both the physical and virtual worlds. Seek legal counsel to understand external obligations such as provincial or federal law. Consider the legal consequences of the manipulation or malfunction of the physical controls of an IoT device. Step 3: Develop IoT policy To cover all levels of business operations, align your IoT policy with your existing cyber security policies. Management and IT should work together to make IoT deployment a cross-business, multi-level responsibility. Confirm with your supply chain (partners, suppliers, etc.) they are taking the proper measures to secure their systems as well. Consider how the IoT will integrate with your existing business strategy. Make sure the IoT can help you achieve your short and long-term objectives. Invest in developing a skilled workforce by educating and training your employees. Download our #IoTatWork employee training presentation GetCyberSafe.ca. For more information on policies, refer to Create Stronger Cyber Safety Policies. 6

Step 4: Implement security measures Here s a list of security tips for before, during, and after implementation of IoT devices. According to a 2017 research study by Public Safety Canada, 57% of small business owners or managers are the person in charge of IT. 1 Consider consulting a cyber security organization/professional for more help. Before implementation: Research devices before you purchase. Read reviews and get recommendations; research their security capabilities. Have a point of contact with the manufacturers for any issues down the road. Read device materials: operator s manuals, instructions, support forums. Create a Bring Your Own Device (BYOD) and IoT policies for employees. Assess against your existing IT security policies and standards. During implementation: Secure your wireless network. For more information, refer to Run a More Cyber Safe Business. Change device default usernames and passwords, and use strong passwords. Refer to Authentication Best Practices. Keep networks with sensitive information isolated. Consider using separate networks for IoT devices. Ensure the device has system reset capability in order to permanently eliminate sensitive configuration information. Control who can access your network and from where. Encrypt data, commands and communications, both at rest and in transit. Where possible, set operating system, software, and firmware to update automatically. Establish periodic manual updates as required. 1 Public Safety, Ekos Public Opinion Research 7

After implementation: Implement a repeatable process to validate all safeguard and countermeasures in your implementation. Conduct cyber incident tests and audits regularly to ensure the integrity of your network. Backup data regularly using secure and redundant storage solutions, such as multiple storage units and/or the cloud. Test your recovery process regularly. For more information, refer to Data Security Backup and Recovery Options. Step 5: Monitor and update Monitor your IoT devices and networks. Decide who will oversee IoT, and how often device activity should be monitored. Where possible, put automatic auditing tools in place to monitor, measure, detect, and correct IoT security problems. In the absence of automation, implement regular manual procedures. How much oversight should management provide, and how often? Consider making updates quarterly. Updating software, patches, and operating systems is an ongoing process. Therefore, these security steps should be repeated frequently and with each new IoT device. Keep communication between management and IT open. Finally, make sure your employees are adhering to your IoT policy. With more and more connected devices in the workplace come more points of vulnerability and risk. 8

IoT Developers, Manufacturers, Service Providers Security should be top of mind for IoT device developers, manufacturers, service providers, and network operators. Security and privacy safeguards should be prioritized in the design, development, and deployment of IoT products. As a best practice, IoT developers and service providers should include as much information as possible on security in plain language for consumers. Security information and privacy policy statements should be accessible in the following locations: Device user manual/instructions Company website On the app that controls the device Support forum Help center (online, or call-in) For more information and user-friendly tips on cyber security for your business, visit the United States Computer Emergency Readiness Team at https://www.us-cert.gov/ncas/tips. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback