What risks does your business face from the Internet of Everything?

Late last year, in what has now become routine news, a large-scale cyberattack deployed nearly 750,000 malicious email communications emanating from over 100,000 everyday devices. But this attack had a twist: It was the first confirmed occasion that a smart home appliance – in this case a refrigerator – was used as a weapon of mass disruption.

At a time when cyber risks have assumed a permanent place on the list of things that cause fretful sleep for business owners, a refrigerator might not seem especially menacing. The reality, however, is that a whirlwind of interconnected global risks to businesses is emerging. Smart devices are part of the internet of everything (IoE), the network of objects embedded with electronics, software, sensors and connectivity to enable greater value and service by exchanging data with the manufacturer, operator and/or other connected devices.

“What’s concerning is that most of the vulnerabilities that can be and have been exploited are known vulnerabilities – it’s nothing new and exotic, and not based on a new technology.”

“The IoE will be integrated into every market you can think of – from healthcare to the energy industry and transport network – but it hasn’t been designed with security in mind,” says Jamison Nesbitt, founder of Cyber Senate, a community of global cybersecurity business leaders. “There are millions of hackers out there that could compromise these interconnected systems. We have sacrificed security for efficiency.”

The upsides of the IoE for consumers and businesses are plentiful, and that potential is reflected in some very big numbers. The total of interconnected devices in use long ago surpassed the number of people on the planet, and yet only .06 percent of devices that could be connected currently are connected. Within two years, 82 percent of businesses globally will have IoE applications implemented into their activities; and with 94 percent of businesses seeing ROI on machine-to-machine communication, this interconnectivity will only grow. Smart homes, smart cars, smart factories, smart cities – by 2020 it is estimated that the IoE market will be worth $7.1 trillion.

IoE-related risks are a reality

Here’s an example of the IoE in action: Thermostats enabled by wireless technology allow homeowners to modify the temperatures in their home via a user-interface application on a smartphone or other wireless device. Researchers recently found a number of vulnerabilities in such systems that could be exploited remotely. Now consider the implications of similar vulnerabilities in remote access to industrial control systems, with knock-on effects related to   privacy issues, property damage or physical harm. You don’t have to look far for real-world effects.

“Only as a result of the major cyber breaches of the past few years have smart business leaders finally made the requisite investment in security throughout the product development lifecycle – including design.”

In 2013, a large retailer suffered a major privacy breach when hackers accessed its network via its heating, ventilation and air-conditioning system. Late last year, a German iron plant suffered fire damage when hackers breached its control system and caused a furnace to shut down, leading to a fire.

“What’s concerning is that most of the vulnerabilities that can be and have been exploited are known vulnerabilities—it’s nothing new and exotic, and not based on a new technology,” says Timothy Stapleton, Global Underwriting Manager, Professional & Management Liability at Zurich Insurance Group, where he and his colleagues focus on protecting businesses and communities from cyber risks so that they can confidently take advantage of large-scale interconnectivity. “These are things that companies should already be looking at and aware of during a product’s design and implementation process, and that should be addressed by the time it gets to the end user. It’s within companies’ abilities to do something about these issues.”

Recently, a joint research team from the University of Washington and the University of California, San Diego showed that hackers could achieve remote access to a vehicle’s critical systems using connected applications that enable roadside assistance. They were also able to take over a car’s controls through the music system’s CD drive, highlighting potential risks in the supply chain and development processes for companies manufacturing the cars; for the wireless technology and application creators; and for the automotive industry as a whole.

Effectively managing IoE risks

As might be expected, businesses view the management of IoE-related risks as a financial challenge. The expense can be lessened if firms follow best practices from a design perspective; for product manufacturers and service providers alike, this takes in the trending concept of “privacy by design.”

“The basic concept is, from the concept to development, to the point that it hits the market and gets in the end user’s hands, privacy is going to be embedded throughout every single phase,” says Zurich’s Stapleton. “Do that, and costs come down dramatically, and the effectiveness of the privacy protections and the risk management behind it increases significantly. It’s much more effective than trying to retrofit privacy or security elements onto a product that’s already been released or is at the end stages of design and development.”

“Industries such as healthcare and retail are positioned, through use of the IoE, to achieve significant benefits and cost-cutting in the future as they integrate these kinds of devices and technologies.”

Gerry Kane, Zurich’s Cyber Security Segment Director for Risk Engineering, adds that “security by design is a fundamental concept, and has been since information security has been a practice. It is only as a result of the major cyber breaches of the past few years that smart business leaders made the requisite investment in security throughout the product development lifecycle – including the requirements and design phases.”

Following such best industry practices will offset problems later, and cut down on the overall financial impact of a cyberattack. In addition to embedding security in the design process, Stapleton says there are other basic steps to take, such as using standard configurations; following the “CIA” (confidentiality, integrity and availability) model for information security policy; restricting access to only those who require it; and, critically, observing strict software update and patch management (a software update to a program or its supporting data). On the risk management planning side, the core elements of creating resilience to cyberattacks include incident response planning and business-continuity planning from an enterprise-level perspective, where the organization plans for the worst-case scenario, and then rigorously tests those plans.

“Incident response and business-continuity planning are the two elements that are going to get you through a crisis,” Stapleton says.

Benefits of IoE drive security pressure

The enterprise security firm Veracode recently completed a study that found that a simple online search can yield default passwords for a number of in-home IoE devices – some of which are manufactured in such a way that the password cannot be altered once they are in the home. However, Stapleton expects to see more and more wireless technology providers, hardware manufacturers and consumer device makers working in tandem to secure their end products. “Industries such as healthcare and retail are positioned, through use of the IoE, to achieve significant benefits and cost-cutting in the future as they integrate these kinds of devices and technologies,” he says. “Demand is only going to increase, but you’re also going to see more pressure from the peripheral participants, and end users, to start looking at [security] in the right way.”

As IoE makers’ short-term focus on financial matters wrestles with longer-term issues such as consumer confidence, the cyber-insurance market continues to evolve with regard to the types and scope of coverage available. Organizations are focused on data theft and invasions of privacy, and the general consensus is that the insurance industry can provide a financial backstop for those issues. (Personal injury or property damage exposures aren’t yet significant in the cyber market.) According to Stapleton, insurers are being approached by companies interested in how the underwriting process itself can help them better understand their many risks in the age of IoE.

“As an insurer, if we can bring in a third party – an IT security service or IT risk assessment service provider, for instance – to do a deep-dive assessment on a company’s network, that goes a long way,” says Stapleton. “Not only in helping us understand the risk, but also in helping the company understand where its vulnerabilities are and what the action items should be in order to remedy that.”

This article is published in collaboration with Zurich. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: Tim Stapleton is a Global Underwriting Manager, Professional & Management Liability at Zurich General Insurance. Catherine Mulligan is an Insurance executive specializing in Professional Liability and Security & Privacy. Gerry Kane is a Cyber Security Segment Director at Zurich North America.

Image: An illustration picture shows a projection of binary code on a man holding a laptop computer. REUTERS