Scott Giordano on the Risks of the Internet of Things [Podcast]


Post By: Adam Turteltaub

Everywhere we look there are now devices that can be connected to the internet.  Around our homes there are security systems, lights, and even refrigerators.  In the workplace it spans most everything, from medical devices to HVAC systems.

As Scott Giordano, Senior Counsel, Privacy & Compliance at Spirion explains in this podcast, with the rise of the Internet of Things (IoT) and all that connectivity comes an enormous amount of risk.  The vulnerabilities begin, he notes, with the devices themselves, which often were not built with security in mind.  They provide an opening for hackers, even through something as seemingly innocuous as the thermostat in a fish tank.

To manage the risk, Giordano recommends screening vendors to ask how they are protecting the devices that they are attaching to your system.  Do so via a short questionnaire that you go through question by question with the vendor, thereby avoiding a check the box exercise.

He also recommends auditing the data your organization houses to determine what information you have, what is sensitive and what data may no longer be needed.  An audit, he notes, typically identifies many more data storehouses than an organization thinks it has.  Often this problem is caused by the  proliferation of applications used in organizations, many of which communicate with each other and start storing data on their own.

On an ongoing basis it is important, he observes, to stay on top of what devices are added to your system and to regularly update your asset inventory.  And don’t lose track of the risks of Bring Your Own Device (BYOD) policies.  All those apps on phones are collecting data, too.

Controls are also key to ensure that no unauthorized devices are added.  Hand in hand with that is a need to understand the issue from the employee perspective.  If you make it too difficult for them to do their jobs, they will look to work arounds that can create more data security risk.

To learn more, he recommends reading the scarily titled Click Here to Kill Everybody.  And, of course, you can listen to this podcast to better understand IoT risks and what compliance teams need to do about them.