risks and rewards of connected devices

RISKS AND REWARDS OF
CONNECTED DEVICES
Staff
ISACA 2014 IT RISK / REWARD BAROMETER REPORT
The Internet of Things is about more than just connected devices—it’s about the vast integrated
systems that these billions of devices comprise. More and more products, companies and networks
are collecting and sharing data from individuals and enterprises than ever before, in the name of greater
personalization, ease, insights and operational efficiency. But as several recent high-profile data breaches
have shown, this ecosystem is far from impenetrable. In the wake of these large-scale attacks on
consumers and corporate data, ISACA’s 2014 IT Risk/Reward Barometer explores the mindsets and
behaviors of both consumers and IT/business professionals, looking specifically at their awareness,
concerns and reactions to issues related to connected devices. ISACA also looks at the business and
IT implications for enterprises, whose duty to safeguard the data they collect is now under even more
intense scrutiny.
THE LANDSCAPE TODAY
The global market for connected devices—including home
appliances, personal electronics, clothing, and other accessories
that can interact with the Internet or other devices—is set to exceed
US $7 trillion by 2020.1 The total number of mobile connections
is expected to rise from 7.4 billion in 2014 to 10 billion in 2020.2
The proliferation of mobile phones and tablets, the growth of cloud
storage, and a heightened focus on big data have nurtured the
evolution of the “Internet of Things” in a big way.
THE TOTAL NUMBER OF
MOBILE CONNECTIONS
IS EXPECTED TO
RISE TO
There are many potential benefits to having more seamlessly
connected devices: personalized consumer experiences, drawing
data from various sources to form a more complete picture of a
user’s preferences and needs; added convenience, with devices
speaking directly to each other without the need for a human
mediator; as well as opportunities for collaboration among different
software and device-makers. And as ISACA discussed in last year’s
report, enterprises also have the potential to reap numerous rewards
from the Internet of Things: greater efficiency, lower costs, improved
services, more accurate supply chain management, greater
accessibility to information, increased employee productivity and
increased customer satisfaction.
IN 2020.
10 BILLION
“WORLDWIDE AND REGIONAL INTERNET OF THINGS 2014-2020 FORECAST,”
INTERNATIONAL DATA CORPORATION (IDC), 2014
2
“IOT DEVICE CONNECTION EFFICIENCY GUIDELINES,” GSMA, 2014`
1
ISACA 2014 IT RISK/REWARD BAROMETER
1
Recently, one specific subset of connected devices has been
receiving increased attention: wearables. Consumer tech
companies are introducing increasingly accessible and appealing
wearable devices, hoping to spur wider adoption among the
masses. These products do not stand alone, either. Connected
devices prove their usefulness by functioning within ecosystems: a
health/fitness band that can communicate with your smartphone,
which can adjust the temperature in your home, which can
speak to your smart fridge, which can show notifications on your
connected TV.
These are impressive advancements, but there are numerous
potential risks associated with this high degree of connectivity.
The more that devices share and store personal information, the
more entry points there are for information to be compromised.
In the past year alone, data breaches at major organizations such
as Target, eBay, Japan Airlines, more than 30 banks in Brazil
and even the Australian Department of Immigration and Border
Protection have brought the vulnerability of consumer data directly
into the public eye, at least temporarily. The fallout of these
breaches affects not only the consumers whose data are at risk,
but the enterprises entrusted with protecting those data.
THE MORE THAT
DEVICES SHARE AND
STORE PERSONAL
INFORMATION,
THE MORE
ENTRY POINTS
THERE ARE FOR
INFORMATION TO BE
COMPROMISED.
DATA PRIVACY AND SECURITY A GROWING FOCUS
Along with the benefits and hazards of this complex technological landscape comes the need to balance
them out safely and responsibly. This is a significant challenge for enterprise management, along with
IT departments and cybersecurity specialists, who are tasked with many of the decisions that affect
the integrity of company, customer and employee information—including the devices consumers, as
employees, bring into the workplace.
The IT Risk/Reward Barometer examines attitudes and behaviors related to the risks and rewards of key
technology trends, such as the Internet of Things (including wearable devices) and bring your own device
(BYOD). Given the high-profile data breaches among enterprises, the 2014 IT Risk/Reward Barometer
also included this topic as a key focus area. The 2014 Barometer consists of two components: a survey
of ISACA members (1,646 respondents from 110 countries) and a survey of consumers (more than
4,000 respondents in four countries: Australia, India, the United Kingdom and the United States).
ISACA 2014 IT RISK/REWARD BAROMETER
2
WHAT CONSUMERS THINK
DATA BREACHES TOP OF MIND, BUT FEW CONSUMERS DOING ANYTHING DIFFERENTLY IN RESPONSE
In light of the millions of consumer credit cards, email addresses and other bits of private information that
were compromised recently, ISACA explored consumer attitudes around these data breaches and found
a significant disconnect between knowledge and behaviors. Nearly all respondents have heard about
prominent breaches (US: 94%, UK: 90%, India: 87%, Australia, 84%), and the majority said these data
breaches increased their concern about the privacy of their personal data (US: 75%, UK: 63%, Australia,
61%, India: 45%).
However, few have changed key actions in their wake. For example, in the U.S. less than half of
respondents say they changed PINs and/or passwords, and only about a quarter say they shopped
less frequently at the retailers that experienced a breach. Nearly a third did not change their shopping
behavior at all.
This disparity could reflect some hesitation about how consumers think about and manage their privacy
and uncertainty about whose responsibility it is to keep consumer information safe. These consumers
are also employees, and are likely to bring this same gap between knowledge and action into the
workplace. This underscores the importance of business and IT professionals proactively managing and
educating employees about privacy and security.
THESE CONSUMERS ARE ALSO EMPLOYEES, AND ARE
LIKELY TO BRING THIS SAME GAP BETWEEN PRIVACY
RISK BELIEF AND ACTION INTO THE WORKPLACE.
Three steps all shoppers should take, whether or not their data has been compromised by a breach, are:
1. Protect personal information by creating a strong password unique to each account.
2. Protect devices with current security software.
3. Verify that online transactions are secure by looking for a padlock icon displayed in the browser.
ADVANCE OF CONNECTED DEVICES AND WEARABLES
Consumers are beginning to integrate more connected devices into their lives. According to the survey,
more than a quarter of all respondents own either a smart TV (India: 49%, Australia: 38%, UK: 37%, US:
29%) or a connected car (Australia: 41%, India: 33%, US: 23%, UK: 23%), for example, and more than
half of consumer wish lists for the coming year include connected devices.
Ownership of wearable devices, such as smart glasses or smart watches, is still new, with most
respondents across countries reporting that they do not own or use such products. But if consumers
have it their way, expect that to change: roughly one in five in several countries say they would like to get
a smart watch in the next year (Australia: 18%, UK: 17%, US: 14%). The growing focus of major players
such as Apple, LG and Samsung on the wearables market may have contributed to this shift, luring
consumers previously unconvinced of the necessity or practicality of smart watches and other
wearable devices.
Consumers aren’t just envisioning such products at home, either, with the vast majority of those who are
employed saying they would consider using wearable connected devices in their current workplace.
ISACA 2014 IT RISK/REWARD BAROMETER
3
GREATEST FEAR IS BEING HACKED
But these desires are coupled with a sense of apprehension. As consumers carry around and use more
devices that contain their personal information, the need for security increases, and their mindset reflects
this. Approximately nine in ten consumers across countries have concerns about the information that is
delivered to connected devices—the greatest being the fear that someone will hack into the device and
do something malicious, followed by not knowing about how their information will be used.
TOP 4 CONSUMER CONCERNS ABOUT INFORMATION DELIVERED VIA THE INTERNET OF THINGS
38%
40%
35%
30%
28%
31%
26%
25%
25%
20%
15%
22%
20%
15% 16%
16% 15%
22%
19%
12%
10%
11% 12%
5%
0%
AUSTRALIA
INDIA
SOMEONE WILL HACK INTO THE DEVICE
AND DO SOMETHING MALICIOUS.
UNITED KINGDOM
UNITED STATES
YOU DON’T KNOW HOW THE INFORMATION
COLLECTED BY THESE DEVICE(S) WILL BE USED.
YOUR PERSONAL INFORMATION WILL BE SOLD
TO OTHER COMPANIES/ORGANIZATIONS.
COMPANIES/ORGANIZATIONS WILL BE ABLE TO
TRACK YOUR LIFE (E.G., ACTIONS AND WHEREABOUTS).
In describing their approach to protecting their data on connected devices, more than half of connected
device owners consider themselves to be a “Take Charge” crowd, saying that they proactively manage
the privacy settings on their devices (US: 61%, UK: 59%, Australia: 57%, India: 46%). But that leaves
a substantial number who described themselves as either reactive or passive, managing their privacy
settings only in response to a major privacy issue or not managing them at all.
These findings echo those in the data breach section of the survey: despite serious, justified concerns
about the safety of their personal information, large blocks of consumers did not make any changes to
their behavior post-breach. As consumers begin taking these devices into the workplace, these results
suggest that much of the privacy and security burden will need to be borne by enterprise teams, which
will need to aggressively educate employees about how they can help reduce risk to better leverage the
many benefits of the devices. This “embrace and educate” approach is one way to attain the benefits
and efficiencies of the Internet of Things in a responsible manner.
ISACA 2014 IT RISK/REWARD BAROMETER
4
WHAT IT PROFESSIONALS THINK
SECURITY IS #1 INTERNET OF THINGS CHALLENGE
A related survey of global ISACA members who are business and IT professionals in 110 countries
reveals that, while many organizations plan to leverage the Internet of Things (28% already have plans
in place, and another 15% expect to create plans within the next 12 months), a number of concerns
remain, with security threats and data privacy topping their list of challenges.
In fact, most do not believe that the data collected on many
connected devices (e.g., smart TV, smart meters, connected cars) are
private. When asked for their opinion on recent headlines that have
declared “privacy is dead,” 69% of respondents said they were very
concerned about the decreasing level of personal privacy.
The only device considered secure—meaning it protects user data
and was not at risk of being stolen or misused by a hacker — by a
notable proportion of members/professionals surveyed, and only by a
very narrow margin, was an employee ID card with a sensor
(Secure: 42%, Not Secure: 39%, Unsure: 19%).
69%
ARE VERY CONCERNED
ABOUT THE
DECREASING LEVEL OF
PERSONAL PRIVACY
Despite recognizing the benefits of the Internet of Things and connected devices, more than a third of
members/IT professionals surveyed (35%) feel that the risks outweigh the benefits as it relates
to enterprises.
BYOW: NOT READY FOR WEARABLES AT WORK
Consumer interest in wearable devices will create complications in the workplace, with most ISACA
members/IT professionals saying that BYOD (bring your own device) policies are not ready for wearable
tech, and that BYOW (bring your own wearable) is as risky as BYOD. While they acknowledge that such
devices have the potential to add value, they are worried about how to manage and govern
them effectively.
Speaking to their own levels of preparation, more than half (56%) of respondents say their BYOD policy
does not address wearable tech, and another 23% do not even have a BYOD policy.
Despite their concerns at the organizational level, however, nearly half of ISACA members feel that the
benefit of the Internet of Things still outweighs the risk as it relates to individuals (46%).
ISACA 2014 IT RISK/REWARD BAROMETER
5
IMPLICATIONS FOR BUSINESS AND IT
Nearly all people and organizations around the world are now connected via the expanse and reach of
the Internet of Things. While this brings many efficiencies—to the point of people wondering how they
performed their jobs or maintained friendships prior to Internet access—the fact is that data breaches
will not only continue, but will most likely intensify.
Devices with “always on” network connectivity are enabling new types of attacks that have not been
seen in the past. A major ramification is a changed risk/value equation, which means that previous risk
decisions may need to be revisited. It is also imperative that everyone who has any form of connection
(be it customer, vendor, service provider, staff member or investor) has a critical role in helping
information stay secure and private. The time to implement holistic risk management is now. Before
we know it, these devices will become so prevalent and the capabilities so commonplace that they no
longer are described as “smart.” The IoT will soon be BAU.
THE IOT WILL SOON BE BAU.
RELATED RESOURCES
For full survey results, including related infographics, visit www.isaca.org/risk-reward-barometer.
Cybersecurity Nexus (CSX): www.isaca.org/cyber
COBIT framework for governance and management of information IT: www.isaca.org/cobit
ISACA Knowledge Center: www.isaca.org/knowledge-center
ABOUT THE 2014 IT RISK/REWARD BAROMETER
The annual IT Risk/Reward Barometer is a global indicator of trust in information. Conducted by ISACA, a global association
of more than 115,000 IT security, assurance, risk and governance professionals, the Barometer polls thousands of business
and IT professionals and consumers worldwide to uncover attitudes and behaviors about essential technologies and
information, and the trade-offs people make to balance risk and reward. The study is based on September 2014 online
polling of 1,646 ISACA members from 110 countries.
Additional online surveys were fielded by M/A/R/C Research among 1,209 consumers in the US, 1,001 consumers in the UK,
1,007 consumers in India and 1,007 consumers in Australia. The US survey ran 8-11 September 2014, and the UK, India and
Australia surveys ran 8-17 September 2014. At a 95 percent confidence level, the margin of error for each individual country
sample is: US: +/- 2.8 percent and UK/India/Australia: +/- 3.1%.
To see the full results, visit www.isaca.org/risk-reward-barometer.
ABOUT ISACA
With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust
in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge,
standards, networking, and career development for information systems audit, assurance, security, risk, privacy and
governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity
professionals, including the Cybersecurity Fundamentals Certificate. It also offers COBIT®, a business framework that helps
enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills
and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security
Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems
Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
Contact: [email protected]
ISACA 2014 IT RISK/REWARD BAROMETER
6