(The Big Disrupt) IoT: Why IoT Security Will Continue To Be A Mess

We at the Carnage Report have been writing piece after piece about the sorry state of IoT security and cybersecurity in general and as things stand, the features on this topic are set to continue and even increase in scale. 

When the Nobel prize winning economist Ronald Coase asked "why do firms exist?", he answered his own question citing that firms exist to lower transaction costs entrepreneurs would have negotiate and pay for and in the open market without one 1. While Coase's observation may seem obvious and unrelated to the sorry state of IoT security, it's quite difficult to understand why IoT is so vulnerable to attacks without his simple but profound answer. 

In the age of the internet, transaction costs have sunk dramatically making everything from watching movies and starting a business easier and cheaper than ever before. While the great fall in transaction costs has been one of the great drivers of change and innovation in the last few years, it's also the reason why Yahoo's recent record 500 million data breach will almost certainly be beaten. Record low transaction costs have been good for everybody from startups to behemoths like Google and Facebook however, low transaction costs have also been good for another group: hackers. 

Low transaction costs are why hackers can launch attacks at scale for a pittance and breach  large but vulnerable corporate networks and steal data to sell on online black markets for huge payouts. The most unfortunate group in the low transaction cost environment are ironically companies like Yahoo and LinkedIn who have thrived because of it and helped shape  it. Large companies from Target to Anthem have fell victim to data breaches compromising their network and have paid a heavy price in reputational damage and lawyer fees  dealing with the fallout of a hack. 

Hackers on the other hand however have made bank selling data in bulk either ransoming companies for their data or selling it on black markets if they don't pay up. Where IoT security comes in to this low transaction cost environment is that it takes the advantage hackers have over  large companies  expands it tenfold. 

The transaction cost for hackers are significantly lower than most companies which allows hackers to hack IoT devices at scale and use those devices to launch record breaking DDoS attacks. Despite all the advantages large organizations have in staff, budget, and expertise, these advantages are rendered obsolete by the fact that hackers have low transaction costs and thus a much wider margin of error as they only have to find one entry point while organizations have secure an ever increasing number of them thanks to the increasing use of IoT enabled devices.    

What makes this worse is that hackers collaborate in increasingly innovative new ways to hack into devices while organizations are less than willing to reveal data breaches never mind sharing and collaborating with other organizations making it harder for hackers to hit companies with the same exploits again and again. However, while hackers have the upper hand over large organizations, their advantage is enhanced by the outright irresponsible mindset most executives have towards security. 

This blasé mindset is rampant in the IoT marketplace as company after company from Intel to AT&T rush to market and sell poorly patched or unpatchable IoT enabled devices to consumers knowing full well how vulnerable their devices are. Well respected CIO's  with a straight face have come out in public and lauded the "ship first, patch later" approach  to selling IoT enabled devices from smart TV's to smart fridges as if they're not aware that the scale on which IoT devices operates won't leave their customers at the mercy of hackers who openly brag about how easy it is to compromise IoT devices. 

In no other industry can executives get away with this level of carelessness and be heavily compensated for it but in IT, it's the norm. We've seen similar levels of neglect when PC's and laptops were introduced into the market and customers we're more or less left to deal with the fallout when their device was hacked. We've seen similar neglect of the security question with the increased use of smartphones and now where seeing it with IoT enabled devices but this time the price of the neglect will be hard to ignore. 

In sum, the state of IoT security and cybersecurity in general has been in a sorry state for a long time and all time lows in transaction costs have made the glaring security vulnerabilities and incredibly relaxed mindset about security among executives clear for all to see and if neither are addressed, the exploding market for stolen data, ransomware and malware will be the least of our problems. 

1. R.H.Coase,1937, The Nature of  the   Firm , http://www.colorado.edu/ibs/es/alston/econ4504/readings/The%20Nature%20of%20the%20Firm%20by%20Coase.pdf 

(The Big Disrupt) IT: Why Shadow IT isn't just bad news for CIO's

While tackling shadow IT isn't the most prominent challenge on a CIO's growing to do list, the widespread growth of the practice in recent years has become hard to ignore. 

It wasn't that long ago when research firm Gartner predicted that by 2017, marketing departments would end up spending more  on IT than IT departments and since then the use of IT services in other business has exploded to the point that Gartner's prediction is not too far off from being vindicated. 

You'd be hard pressed to find a CIO or IT professional who is loving the explosion in IT spend by other business units as it undermines IT departments and even brings into question the need for CIO's. Executives outside the IT department have defended their increased IT spend by accusing CIO's of being too restrictive and rigid.    

There's some truth to this complaint as CIO's have traditionally been less than willing to introduce new solutions, particularly those provided by startups. The unwillingness of CIO's to introduce new solutions forced software vendors to target other business units within their organization which has led to the increased use of IT solutions without the CIO's blessing.        

The growth of shadow IT in the last five years has concerned CIO's across the board with IT leaders responsible for fewer and fewer IT buying decisions. However, what really keeps CIO's up at night is the security vulnerabilities shadow IT can potentially opens their organization to. 

Despite most organizations having strict policies in place forbidding its workforce from using third party applications to handle company data, it's well known these rues are flouted with abandon. You would think this might lead to some type of punitive action taken on employees who flout these rules but since only 8% of organizations can track the use of shadow IT, finding and reprimanding employees is easier said than done to say the least 1. 

It's quite scary to think that only a measly 8% of organizations can track the use of shadow IT as it means a staggering 92% of companies are devising security and device management policies in the dark. What's even more terrifying is that should organizations that make up the 92% suffer a breach, their CIO won't know what hit them until it's too late. 

This scenario is very likely to become the norm as according to a survey carried out by Intel Security, a worrying 23% "handle security without IT's help" 2. Why this is happening when in most cases these departments are just a phone call away from each other is crazy and is a disaster waiting to happen. 

In sum, leadership at these organizations are going to have to figure out fast how to track the use of shadow and find a way to bring IT into the conversation or risk being getting hacked and beefing up their lawyer's retainers. 

1. M. Korolov, 2015, only 8% of companies can track shadow IT, http://www.cio.com/article/2868113/it-organization/only-8-percent-of-companies-can-track-shadow-it.htm
2. C. Worley, 2016, Shadow IT: Mitigating Security Risks, http://www.csoonline.com/article/3083775/security/shadow-it-mitigating-security-risks.html