Booz Allen: IoT Will Force Enterprises Into “Active Defense”

The Internet of Things (IoT) is about to make cybersecurity a lot more difficult — and also dramatically different, according to a new set of predictions from security consultants at Booz Allen.

With a large number of connected devices coming inside enterprise firewalls with employees and customers every day, and the odds high that a significant number of them will already have been compromised by malware, companies will have to take an “active defense” approach to security, especially in emerging areas like mobile payments and wearable.

That’s especially critical because even at the early stages of the IoT flood, the percentage of breaches in which financial information is exposed doubled from 18 percent in 2013 to 36 percent in 2014, according to Symantec.

“When it comes to data security, the fundamentals have changed,” said Booz Allen executive VP Bill Stewart, who heads the firm’s commercial cyber business.

“The companies we speak with are tired of chasing the problem: They want to do better than fight the next battle with the last war’s plan,” Stewart said. “Looking ahead, we see both new, daunting risks and a shift in how companies tackle the cyber security challenge.”

Among the key security issues and actions that Booz Allen sees on the way:

• Connected devices — the Internet of Things — will increase the cyberthreat “attack surface,” and companies must broaden defenses to include the wide range of embedded devices that now make up their ecosystem.
• “Proactive defense” — looking past the horizon to spot emerging criminal patterns and active threats — will become the goal as companies use real-time intelligence and threat assessment data to shape decision making, fine tune defenses and pre-empt emerging threats.
• Third-party incident response vendors will face increased scrutiny by chief information security officers, with the new baseline being a demand for experienced cybersecurity talent, a strong step-by-step methodology, and expertise in crisis communications, legal, policy, business and technical areas.
• Cybersecurity will continue to evolve from a compliance issue to a strategic, business-critical priority, as preparedness moves beyond dollars and compliance to actually protecting the business from damaging attacks.
• Embedded security — in items ranging from electric turbines and air-conditioning systems down to “smart” lightbulbs and vehicles — will become a high priority for keeping the business running.
• CEOs will begin rethinking cyberthreat response, and consider adding a C-level leader who’s explicitly in charge of data breach response across all facets of the organization.