This is the second in a series of Arrayent blog posts on IoT security. The series is written for employees of companies who sell connected products, especially those new to IoT. With this series, we hope to bring a basic level of awareness and understanding of key issues that face everyone who develops connected consumer products. We also hope to stimulate an ongoing dialog that helps move the conversation about connected products security forward.
We began our series looking at IoT security through an organizational lens. This week we are looking through a cultural lens: How can companies build a culture of security, instilling personal responsibility for business, product, and end-user security where every employee is a stakeholder?
BUILD A SECURITY-MINDED CULTURE
The foundation of a security-minded culture starts with leadership from the CEO down. If the C-suite truly believes that security is everyone’s job, then security has a chance of actually becoming everyone’s job. After achieving executive sponsorship, a complete system of policies and procedures are vital, such as:
– All computers and phones must be password protected
– Two-factor authentication must be activated on all phones & computers
– All data on computers & phones must be encrypted in case of theft or loss
Getting the rank and file to partner with IT personnel—instead of opposing them—goes a long way:
– Always having anti-virus software installed and enabled
– Frequent (even daily) hard drive backups to guard against the effects of ransomware
– Periodic ‘restores’ from backups to test backup validity
– Disaster policies, i.e. if the building were to burn down at night, what would the next steps be? Does everyone know what to do? Would your data be safe and accessible?
LOOSE LIPS SINK SHIPS – AWARENESS IS KEY
A security culture requires people to understand their roles and responsibilities and what’s at stake—and to be fully invested in the concepts of security with their personal conduct at work. Training and regular communication are important ways to enforce this. But also think about other ways to create an environment that reminds and reinforces to employees that security is a number one priority. The company bulletin board in common areas is a good place to remind employees of the personal responsibilities, such as:
– To ensure doors stay closed and locked
– To ‘sleep’ computers every time employees leave their desks
– To not leave keys or access card on their desks, keep it attached to their bodies.
Security is a serious issue, but you can have fun with it. Think about the old World War II poster, “Loose Lips Sinks Ships,” which could be a model for reiterating the new kind of war companies face securing our world in the age of IoT— where we face unseen enemies trying to put our companies and products in harm’s way.
Related to this are security basics such as these:
– Never giving out main company Wi-Fi passwords; only provide Guest Wi-Fi access/passwords
– Never allow visitors to plug into the corporate network via an Ethernet cable
– Don’t use flash drives from home or outside the company which could contain malware
– Don’t procrastinate accepting computer or phone OS updates from Apple or Microsoft
– Don’t accept unknown software updates
– Don’t download software from the Internet that is not vetted through virus scan programs (i.e. follow corporate procedures to the letter)
– Don’t click on email links to avoid phishing scams
– If you see something, say something: report all security-related concerns in a timely manner through company-defined channels.
UNDERSTAND THE CONSEQUENCES
If someone loses their company laptop, especially one that was not password protected or encrypted, the company might be required by contract to contact all customers and alert them that their proprietary company or customer information may have been compromised. What might the recriminations be for individuals or the company if that loss stemmed from negligence? The goal of creating a security-minded culture, following best practices and instilling vigilance is to prevent breeches and safeguard the company AND the employees from claims of malpractice or ineptitude.
As an old adage goes: when confronted by a lion on the savannah, you don’t need to run faster than the lion to survive, just faster than the person standing next to you. Likewise with security, first you should ensure you do everything possible to avoid lax security measures, but in the end, YOU don’t want to be the one that caused the security breech.