Across commercial real-estate/ property and the insurance industry, the early vanguard are already reaping the benefits of real-time data insights from the use of Internet of Things (IoT) devices. These organisations are moving from reactive to predict and prevent and in the process making their people, processes and assets more resilient and safer.
From deploying sensors, to tracking the top causes of loss (for example, fire and escape of water), and ensuring the optimal use of resources available, there’s a great deal that the world of IoT and real-time data insights can offer.
That all being said, one major challenge continues to disrupt the smooth deployment of IoT devices – cyber threats (and associated cyber security issues).
SENSE invited industry experts across insurance, broking and cyber, to debate and explore the following topic: “What are the various challenges associated with cyber security in and around the deployment of IoT in commercial property?”
A huge thank you to our event sponsor, PSA Certified, and Anurag Gupta (Director Market Development at Arm) for joining the discussion.
The challenges are many, not least the number of devices being connected every day across multiple industries.
“The market is massive and damage from cyberattacks and cybercrime are growing. This is a great opportunity to talk about how to collaborate between the insurance and technology sectors in order to build an understanding of what IoT security best practice truly looks like.” Anurag Gupta (Director Market Development at Arm).
In short, no single individual or organisation can possibly solve the security challenges on their own.
A superb panel of guests – including Terry Ingoldsby (President at Amenaza Technologies Limited), Laure Zicry (Head of Cyber Insurance, Western Europe at WTW), Desirée Spain (Southeast Regional Manager, US Cyber Risks at Beazley) and Michelle Kradolfer (IoT Technical Officer at Police CPI) – came together to explore the realities of meeting the challenges faced by the insurance industry and beyond.
The technology sector perspective
Security has always been a huge focus for the technology ecosystem, as it has to work several years ahead of products being released into the market. They almost have to predict the future to better understand what threats are likely to be a risk in the future. With this in mind, the technology ecosystem (for example, IP providers, silicon providers, software providers and device manufacturers) have been looking at device security for some time. Together, they’ve been working on frameworks for best practice, and are building a common understanding on what “secure” really means.
“Schemes like PSA Certified bring together over 70 different companies to build and deploy a common understanding on what “best practice” looks like. These companies are using the frameworks, but also using third-party labs to assess the security credentials of devices. We’re proud that this work can be reused in new sectors, like insurance, to make it easier to assess and underwrite business risk.” Anurag Gupta (Director Market Development at Arm)
The industry/practitioner perspective
Terry kicked things off by asking the dreaded question “Is cyber security important when dealing with IoT devices?”
IoT devices are fundamentally part of a larger technology and operating system within organisations. Therefore, a more holistic security approach is required to assess IoT devices and the overall technology and process architecture.
Whilst best practices can offer some security, they may actually give a false sense of security if best practices become a tick box exercise that ends up harming rather than securing.
“Being compliant doesn’t guarantee that you’re secure. You can be secure without being compliant and compliant without being secure and you really need to be compliant and secure.” Terry Ingoldsby (President at Amenaza Technologies Limited)
This can leave many stuck in the ‘defender’ mindset rather than the ‘attacker’ mindset. It’s a challenge in and of itself given that it involves a fundamental change in philosophy. In other words, thinking reactively, rather than actively considering the function of a device you intend to use, the consequences of it being compromised, the risks associated, and, most critically of all, how a hacker might attempt to cause harm.
The broker perspective
Beyond the need for a change in mindset, it’s critical that those acquiring IoT devices also understand how they have been built.
“We need to educate people in the use of IoT so that they think like an attacker and so that they understand the value of all the data in the IoT devices or that are transmitted via the IoT devices.” Laure Zicry (Head of Cyber Insurance, Western Europe at WTW)
Such education is particularly critical when dealing with industries like healthcare that handle extremely sensitive data on a day-to-day basis, particularly given its high value for hackers. Cyberattacks cause a broad degree of damage, much of which is unseen and have significant repercussions. When facing a cyber incident, this will impact revenue, claims, reputation, trust and most likely the inability to sell post an event as trust and reputation have been lost.
Whilst there are obvious fixes, like using a strong password, the education must also consider the complexities of the broader ecosystem:
For example, when users are connected to the Wi-Fi, questions like ‘how is this connected to the company system?’ and ‘is there genuine segregation?’ should form a part of conversations around potential threats faced.
Above all else, the most damaging mindset a company can adopt – and a significant obstacle in the way of education - is that of ‘well, it hasn’t happened to me, yet!’
Of course, understanding the need to quantify a risk and carrying out that quantification are two very different things, the latter of which can be a big ask for most organisations.
The insurer perspective
Data…. and its centrality within the debate around cyber security and, in the context of the insurance sector, cyber insurance.
“At the core of the cyber insurance product is data and protecting it. What happens if data is breached and it gets exfiltrated from a client’s system and what’s the consequence of that?” Desirée Spain (Southeast Regional Manager, US Cyber Risks at Beazley).
The most interesting part of the insurer’s perspective, however, is not necessarily the range of coverage provided but how companies underwrite around IoT and the broader ecosystem that spawns such damaging consequences (be it through lack of education or preventative measures taken).
“We don’t underwrite IoT in isolation, we underwrite the IT systems that are accessing or supporting IoT. Our focus is ‘what are you doing in your environment to protect these devices you’re using to support your systems?’.” Desirée Spain (Southeast Regional Manager, US Cyber Risks at Beazley)
As such, there’s a clear understanding that has already formed in this space, which revolves around looking beyond the use and impact of individual IoT devices.
The accreditation perspective
With credibility important to customers, the question remains as to why companies wouldn’t want to take steps to protect their clients’ confidence levels and show an intention to guarantee security (as much as possible, as total guaranteed security simply can’t be 100% guaranteed)?
The most (in)famous example of a cyberattack occurred in a North American casino where hackers managed to exploit a vulnerability within the casino’s fish tank that happened to hold an IoT thermometer. The thermometer was connected to the Wi-Fi and gave access to the database of gamblers - a humiliating reality for the organisation involved.
“If you have an IoT product and you’re selling to consumers – you don’t want to end up in the news with your product not being built safely, tested safely and given the right information. Consumers need to know how to use those devices safely in the settings they’re using them in,” Michelle Kradolfer (IoT Technical Officer at Police CPI)
There are obvious (and less obvious) steps that can be taken to avoid being that company which ends up appearing in the news for all the wrong reasons, from changing your password to segregating systems. Adding a further additional layer of protection and, critically, trust by securing accreditation would seem highly sensible.
In the case of UK-based companies, this could involve getting accreditation with Secured by Design - the only police recognition for any kind of security product you can get in the UK – which may then be communicated to consumers to prove the product in question has gone through rigorous testing.
Advice to companies looking to deploy IoT devices in their particular field and industry?
It is important to test your defences sooner rather than later and get to a point where, after analysing the consequences of an IoT device failing, any potential harm can be controlled.
To do this, any device deployed can’t be looked at in isolation but, rather, as part of the network (something the potential hacker will always have in mind as their end goal).
“If people want secure IoT devices, be prepared to pay for them because it’s going to cost vendors money to make them secure and you’re always going to be tempted to go for the cheaper option,” Terry Ingoldsby (President at Amenaza Technologies Limited)
A one-size-fits-all approach simply doesn’t exist. Using scenario testing for a variety of conceivable consequences around the potential compromise of IoT devices is critical to inform corrective and preventative action to remain secure. As such, a tick box approach can only go so far in an effort to build a near impenetrable layer of security.
Increased awareness of the challenges around the usage of IoT (from development to direct users), is no doubt critical in building better defences.
“As consumers, we need to really consider which IoT products have been built with security in mind and, more specifically, whether a particular device is necessary within a specific environment” Michelle Kradolfer (IoT Technical Officer at Police CPI)
Individual components and considerations, like accreditation, can only go so far – there needs to be genuine accountability where those dependent on the devices (generally the public rather than the operators) are not made to suffer.
As such, it’s becoming increasingly clear that cooperation from all stages (including the multitude of perspectives available from the insurance industry to manufacturers) will be the key to fully answering the ongoing questions around cyber security.
“No single entity can solve the security challenge alone. Which is why we need to have the unique partnership between us that shows an intersection of technology and business assurance.” Anurag Gupta (Director Market Development at ARM)