Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Greg Clark
Greg Clark
Connect Directly
E-Mail vvv

A New Risk Vector: The Enterprise of Things

Billions of devices -- including security cameras, smart TVs, and manufacturing equipment -- are largely unmanaged and increase an organization's risk.

When FedEx subsidiary TNT Express was hit by ransomware in 2017, its delivery units were crippled and much of its shipping operations ground to a halt. In addition to delaying services to customers, the attack cost FedEx approximately $300 million, according to public filings.  

It's a story that is unfortunately becoming more commonplace today. Ransomware is ravaging businesses around the world, bringing manufacturing plants to a standstill, preventing hospitals from treating patients, and even keeping students from remote schooling during this pandemic. Meanwhile, attackers continue to steal data and credentials from companies of every size in every industry and leverage them for profit. 

As cybercrime damages are expected to reach $6 trillion by 2021, a growing number of breach notification laws and regulations like the EU's General Data Protection Regulation are bringing transparency to the direct financial impact of a cyberattack. Corporate directors are increasingly pushing company leaders for an improved understanding of cyber-risk, as well as a mitigation strategy and plan. The potential sudden and material impact of cyberattacks have pushed cybersecurity to the top of the risk register for many enterprises. Most boards and executive teams lack familiarity with these risks, so board-level cybersecurity education is typically the first step, quickly leading to questions on how the enterprise can buy down cyber-risk. 

Related Content:

The Security Risk Lurking in the Board of Directors

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

As directors ask these questions, many boards are finding that the organization has invested in controls such as antivirus and firewalls for years. However, these tools do not address one of the largest cybersecurity blind spots today: the Enterprise of Things. Billions of devices, including security cameras, smart TVs, and manufacturing equipment, are connecting to enterprises. When you look at the risk management fabric of any company of significance, the risk posed by these resident unmanaged devices and systems is high. 

In many cases, this proliferation of the Enterprise of Things devices pushes productivity and innovation forward, factors that are very important to a board of directors in its obligation to drive shareholder value and reduce their risk profile. However, a single poorly secured device connected to the corporate network could be the weak link that negates those benefits, instead causing significant financial and reputational harm. That weak link could be a single laptop, a sensor monitoring a nuclear plant, a printer, a medical device, or, in the case of a Las Vegas casino, a fish tank thermometer

Boards need to understand the company's cyber-risk exposure, quantify the potential impact if hit by a cyberattack, and take steps to ensure that every dollar spent on cybersecurity directly buys down that enterprise risk. To do that, they need to build a defense inside of their cyber castle walls, with a real-time, continuous, and context-rich understanding of the managed and unmanaged assets. If the network were a beach composed of vast numbers of connected entities that formed the grains of sand, the company needs to have the ability to zero in on a single anomalous grain and then analyze it in granular detail. 

Boards must ensure that the security function has the right skills, processes, and technologies to implement an active defense strategy that includes identifying, segmenting, and enforcing compliance of every connected thing from the time a device enters the network and throughout its life cycle. Key to an active defense is having the ability to isolate and automate control and action across any asset, anywhere, anytime to mitigate risk, contain breach impact, and operate fearlessly — without worrying about keeping critical assets online.

The ultimate goal should be the implementation of a process for formal review of cybersecurity risk and readout to the governance, risk, and compliance (GRC) and audit committee. Each of these steps must be undertaken on an ongoing basis, instead of being viewed as a point-in-time exercise. Today's cybersecurity landscape, with new technologies and evolving adversary trade craft, demands a continuous review of risk by boards, as well as the constant re-evaluation of the security budget allocation against rising risk areas. to ensure that every dollar spent on cybersecurity directly buys down those areas of greatest risk. 

We are beginning to see some positive trends in this direction. Nearly every large public company board of directors today has made cyber-risk an element either of the audit committee, risk committee, or safety and security committee. The CISO is also getting visibility at the board level, in many cases presenting at least once if not multiple times a year. Meanwhile, shareholders are beginning to ask the tough questions during annual meetings about what cybersecurity measures are being implemented. 

In today's landscape, each of these conversations about cyber-risk at the board level must include a discussion about the Enterprise of Things given the materiality of risk. New devices, sensors, and other connected entities are constantly entering the enterprise. Attackers have proven their efficacy at using vulnerable devices as an entry point into the broader enterprise. New vulnerabilities and misconfigurations are discovered daily and therefore securing connected devices is not a one-time event, but rather a life cycle of continuous inspection and control. 

Those on the board of directors has a responsibility to ensure they have a thorough understanding of these risks on a continuous basis and that the company has the proper controls in place to address this critical area of risk. As our dependency on the Enterprise of Things grows, so does the associated risk. We have to remain diligent about executing an active defense for the Enterprise of Things. 

Greg Clark served as CEO and member of the Board of Directors of Symantec Corporation between August 2016 and May 2019. Prior to joining Symantec, Clark was CEO of Blue Coat Systems, Inc. from 2011 until its acquisition by Symantec in August 2016. During this period, Clark ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd