You don’t need to be a student of American cinema to know what the movies “Animal House” and “A Few Good Men” have in common:
Most, if not all, of us have heard about the Six Degrees of Separation theory–ostensibly, everyone and everything is just six connections removed from Kevin Bacon–to appreciate just how interconnected our society and our world have become. And in the rapidly changing world of technology, nothing better personifies the Six Degrees theory than the Internet of Things (IoT).
With tens of billions of connected things–and counting–the IoT is like a giant ecosystem that feeds on itself every second of every minute of every hour of every day. With each new connection point, the IoT becomes larger and more intertwined among people and machines. Every day, our work, home, and public comings and goings link up, forming associations that may seem fleeting, but in actuality are permanent.
Our devices–as sophisticated and as digitally affixed to our lives as computers and phones, or as seemingly mundane and disparate from much of our lives as toasters and toys–are constantly building, exploring, and leveraging new relationships among people and machines. Like it or not, know it or not, we are all connected to each other and to every type of device with a sensor or a chip. In fact, we’re just six degrees apart from each other, just like Kevin Bacon.
I’m sure many consumers–and probably even many business executives and board members–don’t fully grasp how true this is. You may think your IoT connectivity is far more limited than it really is. Oh, how wrong you would be.
And the cybersecurity implications are huge.
Obviously, all of your employees have a PC, a phone, and probably any number of other digital devices, all connecting at one time or another to a corporate network to access data, applications, services, or other connected resources. And, those same devices used for work are increasingly being used on your employees’ home networks, as well as on public WiFi networks. Every time your employees connect on a network, whether at work, at home, or out in public, they have opened a permanent gateway to your organization’s crown jewels.
Let’s say I’m sipping a latte in Starbucks, participating in a conference call on my smartphone. Guess what? I’m one degree separated from other people’s smartphones, and two degrees separated from their IoT devices–at their place of work, in their homes, in their cars, or out in any realm of the digital public infrastructure.
Oh, and don’t forget Industrial IoT, as well, where your devices may be one tiny degree of separation from industrial control systems like SCADA, water purification systems, or an electrical grid. Now, remember back to that conference call at Starbucks, where your phone was one degree of separation from another smartphone–perhaps, a smartphone that was infected by a previously undiscovered form of malware. It’s not ridiculous to assume a seemingly isolated malware incursion on someone’s phone can result in undrinkable water for an entire city.
Finally, keep the following facts in mind:
- Far fewer than 1% of things that could be connected to the Internet currently are. By the way, there are currently 1.5 trillion–yes, trillion with a “t”–devices that could be connected.
- Most IoT smart devices aren’t in your home or phone; they are in factories, businesses, and healthcare.
- Connected devices currently outnumber cellphones by fourfold–a multiplier that is moving skyward fast.
With new IoT attack vectors being discovered–and exploited–every time a new smart connection takes place, and with the very concept of the network’s perimeter being redefined in dramatic new ways, the status quo longer will do. New solutions for a new digital paradigm are a must.
Business executives–in close partnership with their CISOs, CIOs, cloud service providers, and business stakeholders–need to reframe their thinking for these rapidly changing trends. For instance, the old way must become the new way:
- Firewalls, border controls and air gaps give way to boundless networking.
- Anti-virus and signature detection morph into cognitive security.
- Detection and response is out, prevention is in.
- Passing the problem over to the technical team becomes redefined as owning the IoT security challenge.
As Kevin Bacon gets closer and closer to your most valuable digital assets, business leaders need to remember that traditional IT security controls and defenses no longer make employees “safe” at work. You may not have an Apple TV in your office, but someone in your company has one at home, and you never know if has been compromised by hacking, which has been passed onto your employee’s laptop, tablet, or phone, and in turn has touched and infected your corporate network.
Now, I’m obviously not telling you to avoid IoT. Far from it, in fact. I personally own a massive number of intelligent devices that I use at work, at home, and out in public. I am a huge believer in IoT’s potential for extraordinary economic impact, and the things IoT already is doing to make us more productive, efficient, and intelligent is literally the tip of the iceberg. But that doesn’t mean that I throw my sense of caution to the wind because I’m excited about what IoT can do and already is doing.
Organizations need to understand that the Kevin Bacon theory of networking is real, and keeping the enterprise and its digital assets safe and secure is imperative–and not just for the CISO. Business leaders need to be active participants in IoT security, because what I’ve tried to describe here is contagion theory, pure and simple. And you need to prevent this digital Ebola virus from moving into your corporate data by way of a poorly patched consumer device or an unmanaged endpoint as seemingly innocent as a NEST thermostat or a talking doll.
Otherwise, you and your organization will end up becoming more familiar with Kevin Bacon than you ever dreamed.