For many, the Internet-of-Everything (IoE) is a brave new world; a vision of the 21st century in which internet-connected smart devices make all of our lives safer, more convenient and more productive. But while it's certainly true that businesses, in theory, could become more agile and efficient as a result, the IoE should also raise a few warning signals for CIOs.
Research from Context Information Security earlier this month revealed that LIFX Wi-Fi enabled lightbulbs contained a flaw which could allow hackers to control them using a smartphone app. In this case the issue was resolved after LIFX developers were informed, but what about other smart devices finding their way into offices around the world?
Part of the problem is that, just as with smartphones before, many of these devices aren't built for the enterprise. They aren't robust enough and certainly haven't been tested with security in mind. Yet, just as with the Bring Your Own Device trend, there is the chance they could increasingly find their way into the corporate environment unless strict checks are put in place.
Think about it. Many of the companies that develop such IoE devices aren't doing so with corporate use in mind. The imperative, as with most technology products, is commercial and not security-focused. Just a couple of months ago, smart device maker Nest was forced to recall over 400,000 smoke alarms after a defect was discovered that could allow users to turn the devices off unintentionally. It will not reassure CIOs to learn that Nest is a Google-owned company. This, after all, is the same firm that gave us one of the world's most insecure mobile ecosystems - Android.
There's another reason beyond malfunctioning devices which should focus CIO minds on the issue. Smart devices routinely communicate back to their manufacturer's HQ - wherever that may be. Even with innocuous household devices that might be a problem. Imagine a hacker was able to intercept traffic sent from a Belkin baby monitor, for example, to see if a parent was out of the house or not?
In a corporate environment the risks are amplified.
Do you know what information that smart printer is sending back to its HQ in the US? Do you know for sure it's not equipped with a mic? How about the video conferencing equipment that seems to have appeared in several of your meeting rooms? Whistleblower Edward Snowden's revelations about NSA surveillance have made big business nervous and rightly so; well here's another reason to be doubly cautious.
It's all the more important given the forthcoming European General Data Protection Regulation which is still in the process of being finalised. Once brought into force member state will be compelled to comply - and there could be strict requirements governing where data must reside. If your internet-connected smart devices are sending that data - however innocuous looking - back to the manufacturer's HQ in the US or elsewhere you could be breaking the law and exposing your organisation to unnecessary risk.
Smart meters are another related area of burgeoning IoE technology which could be exploited by determined attackers, to uncover an organisation's weak points or even tamper with utility supply. If you think I'm paranoid, even regional watchdog the European Data Protection Supervisor (EDPS) has raised serious concerns - albeit around the privacy implications of such devices.
So what should CIOs be doing to head off this potential risk to enterprise information? Well firstly it's important to remember that the risks are limited at this stage. However, there may already be a growing number of internet-connected smart devices in your organisation, many of them possibly not fit for purpose. It's essential that you draw up a well-defined approval plan for new devices. Be especially cautious of signing off on anything that may be at odds with the coming European data protection regulations. Then it's a case of sitting down with facilities teams to ensure any new kit meets your criteria.
Yes it's yet another item on the to-do list but it's worth adding now. Fail to take action early on and soon you might turn around to realise that the smooth running of your organisation effectively depends on a bunch of mission-critical but untested consumer-grade gadgets. Rip and replace by then won't be an option.
Raimund Genes is of CTO Trend Micro