The Internet of Things (IoT) marks a new era in network security. Gone are the days when sysadmins could defend their organizations against digital threats via antivirus alone. Indeed, networks have evolved beyond webs of personal computers that support security software. Internet-enabled vehicles, appliances, PoS terminals, and other "smart" things now dot the IT environment. And that's not necessarily a good thing.
While they embody an untold number of possibilities in the way technology can revolutionize business, IoT devices increase an organization's attack surface by virtue of their web connectivity. Such duality holds true for all organizations, including those engaged in national security and law enforcement.
MetaCompliance recently confirmed this observation at Security and Policing 2016.
The event is aimed towards police, law enforcement personnel, and security professionals who are tasked with ensuring national resilience, civil protection, and security in the face of a variety of threats. While it overwhelmingly favors the physical aspects of national security and law enforcement, including armored vehicles and security gear, the conference also features some discussions on computer security.
Of note, attendees this year discussed how the UK Cabinet Office is investing in a computer security educational program that begins in secondary school. The purpose of the initiative is to make sure future generations are better informed and equipped to deal with digital threats.
Participants also had a chance to listen to Mike Gillespie, Managing Director of Advent IM, speak about the threat posed to organizations by lost devices and insecure third party vendors.
With regards to the latter, Gillespie referenced Target's 2013 breach, during which hackers compromised 40 million customers' payment card details after first compromising a system owned by a HVAC company that put in Target's air conditioning. The retailer ultimately agreed to a $39 million settlement to compensate a number of banks that replaced affected customers' MasterCards.
For Bogdan Isac, Business Development Manager at Metacompliance Ltd., the Target hack helps to put the reality of data breaches into perspective.
"The Moral of the story is that with all of our devices, televisions, fridges, smartphones, A/C’s, etc. being inter-connected (or connected to the internet of things), no company or organisation is safe against the backdrop of data breaches," explains Bogdan, who participated at Security and Policing event this year.
Bogdan went on to add "Without proper staff training and systems in place, sooner or later everyone’s a target. The risks lie in our smartphone connected through IoT to our washing machine, smart TV’s with built in cameras, fridge, A/C, heating, house locks, CCTV etc., it has become very easy for hackers to not just phish our details, but to actually impersonate us and take control of our lives through our devices. I was looking at my smart TV last night and it’s a 2014 model that had only 3 updates and by looking up online the content of the updates – they are all speed/reliability related! There was literally not 1 update on the security of the TV which connected to my Wi-Fi could give a hacker access to my data, skype calls, friends, family, my face etc. anytime he wants.”
Law enforcement agencies are already beginning to realize the importance of user awareness training when it comes to risk mitigation and compliance with security policies. For example, MetaCompliance recently partnered with the City of London Police (COLP) to help it balance the demand for staff awareness with increasing financial constraints.
COLP ultimately purchased policy management and staff training software based on a centralized communication platform that automated its compliance activity across the entire force.
"Only with the use of an automated compliance tool could we hope to maintain best practices and support our officers," reflected Gary Brailsford-Hart, Director of Information for COLP.
The technology's multi-platform nature also helped push out the compliance learning to the officers, allowing them to complete each exercise when convenient. This training model has already drastically reduced the time it took for the force to conduct an audit of all of its hand held radios.
By investing in this policy management software, the City of London Police has added a crucial element to its existing information security strategy. Solutions such as those offered by MetaCompliance have already been developed across many clients, enabling COLP to implement time-tested change to its security awareness training program.
As digital threats continue to grow and evolve, it is more important than ever for law enforcement and national security organizations to confront the dangers of an untrained staff head-on. Failing to do so could produce stubborn financial and reputational costs for the organization. Additionally, a major event could cost those individuals responsible for overseeing the affected systems their job or even their career, especially in an industry where accountability and transparency are paramount.
So how do organizations avoid these negative consequences?
Attending an event like Security and Policing 2016 is a good start.