As Internet of Things (IoT) applications gradually make their way throughout the economy, businesses need to be mindful of both the opportunities as well as the risks they present. This is particularly noteworthy this year, as much of the workforce has been consigned to working from home, very often using personal or otherwise unprotected devices.
“IoT devices don’t rely on human operators, but, rather, work independently using a combination of sensors and artificial intelligence to make decisions. This is where the value comes from, but it also creates vulnerabilities,” says Yuri Zaharin, country manager for Malaysia at Exclusive Networks. The company is a global vendor and provider of cybersecurity services.
When people think of IoT applications, he says, they usually think of devices at home, such as smart fridges, air-conditioning units and garage door openers.
The explosion of these data collection points naturally means that cyber criminals can exploit a connected fridge, for example, in much the same way that he would a smartphone or laptop.
“However, IoT is increasingly being incorporated into enterprises, and even government and public services,” Yuri adds.
Many of these IoT devices — from consumer products such as smartphones and connected wearables to connected production lines and independently operating machinery — have a combination of sensors, cameras, microphones, voice recognition software as well as GPS capabilities. “These components are often processing large amounts of personal and company information,” Yuri tells Digital Edge.
The implications are worrisome, because even with the relatively small IoT penetration throughout the Malaysian economy, incidents of cybercrime and data breaches are already quite pervasive.
According to a 2013 paper by Deputy Superintendent of Police (DSP) Mahfuz Datuk Ab Majid of the Royal Malaysian Police, cybercrime surpassed drug trafficking as the most lucrative form of criminal enterprise. He went on to add that roughly 70% of all commercial crimes in Malaysia were classified as cybercrime.
Perhaps unsurprisingly, this year’s reports of cyber fraud have increased sharply from those in 2019. According to Communications and Multimedia Deputy Minister Zahidi Zainul Abidin, some 5,697 incidents of cyber fraud were reported to CyberSecurity Malaysia between January and August this year — a 22% increase from the previous year’s corresponding period.
“While IoT-enabled devices are much more prevalent in our daily lives, this is still just the beginning. As we move more of our capabilities to the cloud, and cloud-based solutions become more sophisticated, we will see even more reliance on IoT devices and solutions. I also see greater use of IoT devices with the advent of 5G.”
Proactive protection necessary
It is imperative that businesses take steps to proactively protect both their employees and connected production lines.
According to Yuri, laws and regulation often struggle to keep pace with cybercrime, which is why businesses should not wait for the legislation to kick in before they comply with it.
Further, given the level of interconnectivity between businesses, and even government, a seemingly minor breach on one network could cause catastrophic losses for other businesses or government agencies that happen to be connected to that particular network.
“By definition, IoT is a shared ecosystem, including between the public and private sectors. This is why globalised and uniform risk standards should be introduced to the market. Otherwise, when a security breach occurs in a small, third-party vendor, it could end up affecting users of a large government agency, for example,” says Yuri.
Another potential security measure — albeit one that would take time to implement — would be the standardisation of the various IoT devices. “This would be especially helpful when it comes to interoperability,” he adds.
Yuri also recommends businesses putting in place a “business continuity plan” in the event that one or more of their IoT devices are compromised. Business leaders, he says, should essentially take it as a given that breaches will occur at some point. “It is important then to have plans in place to react quickly and decisively to a breach. This could mean the difference between a quick recovery and significant fines, reputation damage or worse.”
Ultimately, he says, a business’ attitude to cybersecurity will start at the leadership.
“Leadership needs to ensure that cybersecurity best practices are implemented company-wide. There cannot be just some business units that embrace it, while others don’t.
“IoT connects business units in many, often unexpected, ways, and a decentralised approach to cybersecurity won’t necessarily work.”