Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Greg Clark
Greg Clark
Connect Directly
E-Mail vvv

A New Risk Vector: The Enterprise of Things

Billions of devices -- including security cameras, smart TVs, and manufacturing equipment -- are largely unmanaged and increase an organization's risk.

When FedEx subsidiary TNT Express was hit by ransomware in 2017, its delivery units were crippled and much of its shipping operations ground to a halt. In addition to delaying services to customers, the attack cost FedEx approximately $300 million, according to public filings.  

It's a story that is unfortunately becoming more commonplace today. Ransomware is ravaging businesses around the world, bringing manufacturing plants to a standstill, preventing hospitals from treating patients, and even keeping students from remote schooling during this pandemic. Meanwhile, attackers continue to steal data and credentials from companies of every size in every industry and leverage them for profit. 

As cybercrime damages are expected to reach $6 trillion by 2021, a growing number of breach notification laws and regulations like the EU's General Data Protection Regulation are bringing transparency to the direct financial impact of a cyberattack. Corporate directors are increasingly pushing company leaders for an improved understanding of cyber-risk, as well as a mitigation strategy and plan. The potential sudden and material impact of cyberattacks have pushed cybersecurity to the top of the risk register for many enterprises. Most boards and executive teams lack familiarity with these risks, so board-level cybersecurity education is typically the first step, quickly leading to questions on how the enterprise can buy down cyber-risk. 

Related Content:

The Security Risk Lurking in the Board of Directors

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

As directors ask these questions, many boards are finding that the organization has invested in controls such as antivirus and firewalls for years. However, these tools do not address one of the largest cybersecurity blind spots today: the Enterprise of Things. Billions of devices, including security cameras, smart TVs, and manufacturing equipment, are connecting to enterprises. When you look at the risk management fabric of any company of significance, the risk posed by these resident unmanaged devices and systems is high. 

In many cases, this proliferation of the Enterprise of Things devices pushes productivity and innovation forward, factors that are very important to a board of directors in its obligation to drive shareholder value and reduce their risk profile. However, a single poorly secured device connected to the corporate network could be the weak link that negates those benefits, instead causing significant financial and reputational harm. That weak link could be a single laptop, a sensor monitoring a nuclear plant, a printer, a medical device, or, in the case of a Las Vegas casino, a fish tank thermometer

Boards need to understand the company's cyber-risk exposure, quantify the potential impact if hit by a cyberattack, and take steps to ensure that every dollar spent on cybersecurity directly buys down that enterprise risk. To do that, they need to build a defense inside of their cyber castle walls, with a real-time, continuous, and context-rich understanding of the managed and unmanaged assets. If the network were a beach composed of vast numbers of connected entities that formed the grains of sand, the company needs to have the ability to zero in on a single anomalous grain and then analyze it in granular detail. 

Boards must ensure that the security function has the right skills, processes, and technologies to implement an active defense strategy that includes identifying, segmenting, and enforcing compliance of every connected thing from the time a device enters the network and throughout its life cycle. Key to an active defense is having the ability to isolate and automate control and action across any asset, anywhere, anytime to mitigate risk, contain breach impact, and operate fearlessly — without worrying about keeping critical assets online.

The ultimate goal should be the implementation of a process for formal review of cybersecurity risk and readout to the governance, risk, and compliance (GRC) and audit committee. Each of these steps must be undertaken on an ongoing basis, instead of being viewed as a point-in-time exercise. Today's cybersecurity landscape, with new technologies and evolving adversary trade craft, demands a continuous review of risk by boards, as well as the constant re-evaluation of the security budget allocation against rising risk areas. to ensure that every dollar spent on cybersecurity directly buys down those areas of greatest risk. 

We are beginning to see some positive trends in this direction. Nearly every large public company board of directors today has made cyber-risk an element either of the audit committee, risk committee, or safety and security committee. The CISO is also getting visibility at the board level, in many cases presenting at least once if not multiple times a year. Meanwhile, shareholders are beginning to ask the tough questions during annual meetings about what cybersecurity measures are being implemented. 

In today's landscape, each of these conversations about cyber-risk at the board level must include a discussion about the Enterprise of Things given the materiality of risk. New devices, sensors, and other connected entities are constantly entering the enterprise. Attackers have proven their efficacy at using vulnerable devices as an entry point into the broader enterprise. New vulnerabilities and misconfigurations are discovered daily and therefore securing connected devices is not a one-time event, but rather a life cycle of continuous inspection and control. 

Those on the board of directors has a responsibility to ensure they have a thorough understanding of these risks on a continuous basis and that the company has the proper controls in place to address this critical area of risk. As our dependency on the Enterprise of Things grows, so does the associated risk. We have to remain diligent about executing an active defense for the Enterprise of Things. 

Greg Clark served as CEO and member of the Board of Directors of Symantec Corporation between August 2016 and May 2019. Prior to joining Symantec, Clark was CEO of Blue Coat Systems, Inc. from 2011 until its acquisition by Symantec in August 2016. During this period, Clark ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.