With promises of unbounded possibilities for convenience, capacity and efficiency, the internet of things (IoT) shows every sign of becoming a full-fledged craze in the business world. But what’s often overlooked in all the enthusiasm is that the “I” in IoT is also an internet of shared services and shared data. As a result, we are becoming dangerously reliant on public internet connectivity to underpin many of the IoT’s new services.
The public internet, however, was never designed to be a secure environment. It was conceived as a network with built-in redundancy for academics and researchers to share data, not protect or authenticate access to it. Consequently, from a security perspective it’s become more a kind of best-effort network than the best-in-class network needed to ensure the confidentiality, integrity and availability of today’s transactions, and this poses a profound systemic risk.
Systemic Risk of the Public Internet
Unlike a targeted threat that jeopardizes one element or one department of a company, a systemic risk is one that can bring an entire operation to a halt and cause total failure of a business. Put simply, many businesses continue to face this systemic risk by relying on the public internet to, first, connect to hosted cloud services; and, second, support their adoption of IoT to pursue new business opportunities.
Among the many risks businesses must face online, malware and ransomware, data thefts and breaches, and distributed denial of service (DDoS) attacks have all become serious threats to cloud- and IoT-focused companies relying on the public internet. And yet the world has recently seen cyber calamities like ransomware and DDoS attacks on an unrivaled scale, focusing unimaginable volumes of malicious traffic that were thought impossible until recently. These attacks have changed the rules of the game, taking down business networks and servers worldwide, and hitting some of the world’s largest banks, retailers, media companies, social networks, and news outlets.
Rise of the IoT
At the same time, advancements in miniaturization and mobile technology have accelerated the advent of IoT, which has already begun to vastly expand the breadth and depth of our connectivity and transactions. The coming explosion of devices able to collect, transmit, and store massive amounts of data will pose a serious systemic risk for all those sensitive transactions that need to happen at the speed of business. With everything connected to the internet theoretically vulnerable to being hacked – often being scanned for vulnerabilities within minutes of first connecting – millions of new devices will become subject to potential compromise. And that risk is only increasing, with the number of IoT connected devices and sensors projected to grow to 50 billion by 2020, according to Juniper Research.
This growth raises the stakes exponentially for unsecured networks, and calls into question previous risk acceptance decisions. Since the IoT’s entire premise is built upon connectivity, a malevolent attack that compromises (or maliciously exploits) this connectivity has the potential to wreak unprecedented havoc.
Imagine the chaos of a localized attack on a hospital system or a healthcare trust that shuts down vital patient monitoring sensors or scrambles essential automated reporting processes between ICU equipment. Or consider how an IoT-enabled smart city depends on a network of sensors to manage its transport infrastructure and the traffic moving in its streets. Bring down the sensor network with ransomware or a DDoS attack and the result could be indefinite gridlock across a city.
Reliable, Robust and Secure Global Connectivity
As businesses explore new opportunities and use cases for IoT, they must acknowledge that the public internet is no longer fit to provide the reliable, robust and secure global connectivity that is imperative to fulfill the promise of IoT. Instead, the use of a private, isolated network has emerged as a more practical answer to protecting and authenticating transactions in an age when the IoT is creating greater levels of risk. This network can be utilized to minimize business risk by running completely independent from the public internet.
Specifically, a private, isolated network should meet four criteria that are essential to the new demands of the IoT era:
- Security, privacy and isolation from the public internet in order to protect valuable corporate and public data and assets.
- Connectivity global in scale but flexible enough to address specific vertical market needs.
- High capacity, high speed, and low latency to meet the needs of new use cases.
- Ability to view and manage all members of the network environment.
The last of these is particularly crucial, because it pertains to knowing not just the rights and privileges of the devices accessing a network, but also authenticating that individuals or machines behind the keystrokes or commands are exactly who or what they are supposed to be.
Minimizing Business Risk with a Private Network
The rapid proliferation of IoT devices and applications that are dependent on the public internet is opening a new era in connectivity – and vulnerability. As businesses seize the opportunities of this new era, they risk leaving their commercial data and systems exposed to a public internet never intended for that purpose.
Ultimately, companies that want to conduct business and transfer data with certainty, security and privacy should not rely on the public internet. They must integrate the use of private, isolated network to protect and authenticate their data. Those businesses electing not to use such a network for their sensitive communications and transactions will be accepting the same risk as the only building in the neighborhood without locks on its doors.
As Senior Vice President and Chief Security and Risk Officer, Phil Celestini leads security and risk management across Syniverse, including adopting new technologies and building industry awareness of critical threats and opportunities arising from such areas as the internet of things, 5G, artificial intelligence, and blockchain. With a career spanning more than 35 years across government, law enforcement, and the military, Phil brings extensive executive leadership experience in security, risk, and compliance. From 1992 to 2018, he served as a Special Agent in the U.S. Federal Bureau of Investigation (FBI), where he was most recently Special Agent in Charge in Washington, D.C., and where he also served as the FBI’s senior representative to the National Security Agency and U.S. Cyber Command among other roles. In addition to his investigative acumen, Phil is an acknowledged expert in cyber and information security. He earned several commendations and community honors as FBI Special Agent, serving in positions of increasing leadership responsibility in numerous field offices, FBI headquarters, and on the National Security and Homeland Security Councils at the White House. Prior to his FBI career, he served as an intelligence operations officer in the U.S. Air Force. He received his bachelor’s degree from the U.S. Air Force Academy and a master’s degree in public safety leadership from Capella University.