By Ron Konezny, President & CEO, Digi International
The most cybersecurity-savvy members of an organization are typically not the key decision makers. This disconnect may be one of the reasons that even while cybersecurity budgets continue to increase, the frequency and severity of cyberattacks and data breaches are not decreasing.
Yet many factors contribute to the complex cybersecurity landscape today, including the rapid adoption of connected IoT devices, the increasing sophistication of hackers, and evolving cybersecurity regulations. Consequently, it is time that cybersecurity initiatives switched from a bottom-up to a top-down and organization-wide approach. This article will discuss how leaders can implement a multi-layered strategy for IoT security to protect their organizations and customers.
The Importance of a Top-Down Approach to Cybersecurity Risk Management
In the traditional bottom-up approach to IoT cybersecurity, operational employees like security, systems and network techs typically report their findings and concerns to upper management. However, this process can be slow and inefficient. A breach may occur before network security and cybersecurity engineers get the green light to implement critical initiatives. By instituting a top-down approach to cybersecurity, upper management underscores the importance of security policies and the necessity of securing connected devices and networks.
Top-down strategies also tend to be wider-reaching, as management teams recognize that the responsibility of protecting the organization does not rest on the shoulders of the IT department alone. Instead, everyone is equally responsible and accountable because every department, office and employee is susceptible to cyberattacks or unintentional data leaks due to non-secure processes or behaviors. When vulnerabilities lead to security and data breaches, they can have an enormous impact on a brand’s reputation — not to mention the potential price tag in the millions of dollars to remediate these issues when they occur.
Today, organizations across every industry need to create a culture of safety where every individual receives training and understands their role in the broader enterprise’s security posture. Underscoring this point, Opensource.com rightly points out that a system is only as secure as the least safety-conscious team member.
The Four Levels of a Multi-Layered Security Strategy
There are many avenues by which bad actors can infiltrate a business network, including through unencrypted communication models, unsecured device ports, and connected technologies being deployed without have key security measures in place, like authentication. In addition to a top-down approach, businesses must incorporate a multi-layered strategy to establish company-wide protection against cyberattacks. Generally, a multi-layer approach has four levels: device, network, application, and cloud.
- Device-level security:Consists of built-in security measures that protect the IoT device itself, such as encryption, secure boot, protected ports, and configuration monitoring. In particular, device-level security ensures that connected devices’ firmware under corporate jurisdiction can get updated as new vulnerabilities arise.
- Network-level security:Includes measures like firewalls, intrusion detection and prevention, as well as virtual private networks (VPNs) to safeguard the communication between devices on the broader network. In addition to being secure, a network must remain always-on, meaning that it is resilient and can continue to function amid challenges to normal operations and maintain service for customers and connected applications.
- Application-level security: This layer entails those security measures that protect the applications and data running on IoT devices, like access control, data encryption and secure APIs.
- Cloud-level security:The cloud is central to IoT, as companies cannot collect or analyze the data generated by their connected devices without uplink connectivity and a path to the cloud to store that data. This level of security includes measures like identity and access management, data encryption and continuous monitoring, which protect the cloud infrastructure that supports IoT devices and business critical operations.
The Evolving Cybersecurity Landscape
For perspective on how persistent and sophisticated cybercriminals have become, consider that the National Institute of Standards and Technology (NIST) updates its National Vulnerability Database (NVD) hourly. Moreover, in 2022, over 25,000 new common IT security vulnerabilities and exposures (CVEs) were discovered — the highest reported annual figure to date. In light of these ever-emerging threats, regulators constantly update existing standards or release new ones to protect IoT devices.
For example, in 2022, regulators amended the FDA Act to include requirements for connected medical devices. That same year, to address the increasing intersection of IoT devices and account-based payments, the Payment Card Industry Security Standards Council and the Consumer Technology Association issued a joint bulletin highlighting the importance of IoT security. Additionally, cybersecurity regulations have global implications for IoT technology, such as the General Data Protection Regulation (GDPR), the EU Cybersecurity Act, and the California Consumer Privacy Act (CCPA). Failure to adhere to these standards can result in impact to the bottom line, including costly fines.
The shifting IoT security landscape can be daunting. However, a top-down approach to security allows upper management to more effectively direct the implementation of security practices and regulations throughout the organization, whether ensuring staff have the training to identify phishing and social engineering threats, mandating FIPS 140-2 cryptographic encryption or restricting physical access to the enterprise or specific assets. The good news is that the security industry has galvanized in recent years, and there are great resources today that enable organizational leaders and technical personnel to quickly grapple with the issues and put an actionable strategy in place.
Finding Help and Leading by Example
The ideal strategy for IoT security is a multi-layered, company-wide strategy — including procuring tested and proven devices with built-in security protocols, ensuring the ability to continually update all connected devices over their lifecycle, and mandating procedural and behavioral training for all staff members. While cultural and infrastructure change do not happen overnight, every business can implement a strong security posture and excellent security measures. When in doubt, brands should seek a total solution vendor that can help integrate IoT security best practices, including monitoring and management services to keep cyber defenses up to date. Ultimately, it is incumbent on an organization’s leadership to take the initiative and promote company-wide adoption and cultural change.
About the Author
Ron Konezny is the President and CEO of Digi International. He joined Digi International December 2014, as President and Chief Executive Officer. Prior to joining the company he was Vice President, Global Transportation and Logistics division of Trimble Navigation Limited, a global provider of navigation and range-finding equipment and related solutions. He had served in that role since September 2013. Prior to this position, he served from August 2011 to September 2013 as the General Manager of this division and as the Chief Executive Officer of PeopleNet, Inc., after PeopleNet was acquired by Trimble in 2011. Ron was a founder of PeopleNet where he held a variety of executive positions since 1996, including Chief Technology Officer, Chief Financial Officer, Chief Operating Officer and, from September 2007 through PeopleNet’s acquisition by Trimble, Chief Executive Officer. PeopleNet is a leading provider of telematics solutions for the transportation industry. Ron also presently serves on the board of directors of Atlas Financial Holdings (NASDAQ: AFH).
Ron has extensive experience in the wireless M2M industry working with solutions comprised of hardware and cloud-based applications. He brings extensive leadership experience in corporate strategy, manufacturing, operation, technology, finance and business development to the Board. Ron was the 2009 winner of the Ernst & Young Entrepreneur of the Year® award in the Technology category. Ron can be reached online at [email protected] and at our company website at www.digi.com.