Too many C-Level leaders in today’s business world think that information security is just another technology layer created to fortify and protect their data and infrastructure on technology level. A perception that is mostly based on what most people learned and used during the start of the 21st century. Information security is mostly used against threats on technology level.
But is this true today?
With IoT emerging and most devices becoming part of a world wide network, truth is that ISGRC is getting more and more overlapped with physical security/safety threats. Take ransomware for example. If a power company is attacked with ransomware, which is gonna be the result? While attackers try to get their ransom, all services will be taken offline. If this ransomware manages to get into SCADA systems then it is very possible to even experience a blackout. That is enough under certain circumstances to lose lives (e.g. hospital does not have power).
But this is no news. These are happening almost every day in recent years. But still people think that this is just a technology threat and should be dealt only on this level. So what happens when an attack breaches security and is the reason for a loss of life/lives?
Only a handful of organizations have so far considered such a case and they have formed specialized CSIRT departments within their organization who will handle this security crisis, in collaboration with legal and executive board. Most organizations have created only an ISGRC dpt (and that is not the rule for all).
Lets take a step more.
More and more people today are getting connected. Smart phones, smart houses, smart cities, digital services for almost everything, even smart cars with ability to connect for entertainment and more. So a simple person walking down the road might be connected via his smartphone, his smartwatch (which may be also connected to his pacemaker) and tries to get into a connected car. Everything is technology enabled, yes. But our technology is built as anthropocentric. So any threat around those technology items which are connected as a result have an impact on the directly dependent human. If an attack aims at this person how is he/she gonna be protected? Protection software can only go as much as preventing a possible thread on logical level. What if this is not enough?
Are today’s people able to deal with a cyber threat that will affect their everyday life on all levels? Even block them from being able to do simple things like accessing their home as their smart-home devices may lock out everyone?
So an idea here. Besides implementing a “kill -9” switch on all devices (which also carries enough risks), should all people be trained in a mandatory way when it comes on security threats from the IoT? Security Awareness training is a concept that some organizations have but it is in no way mandatory. Should that change?