EY model helps deliver state-of-the-art cybersecurity

21 April 2015 Consultancy.uk 6 min. read

The Internet of Things (IoT) is set to widely increase the number of ways human beings can connect with each other and their environment, however, with widening of interfaces comes a corresponding increase of vectors that cyber-adversaries can penetrate and leverage what the IoT tracks and monitors – and then use the information for nefarious ends. To limit the vulnerability of the devices controlled by businesses, EY has developed a cyber-security approach to protect a company’s digital frontier.

With the development of technology the number of ways in which it is possible to have a relationship to something or with someone, has steadily increased. Besides calling on someone, or writing them a letter, we may now text them, message them, app them, and the scores of other ways in which technologies and platforms now mediate human communication.

EY - Cybersecurity and the Internet of Things

In a recently released report titled ‘Cybersecurity and the Internet of Things’, accounting and consulting firm EY explores the rapid development of a new generation of communication devices, and its interconnectedness, known as ‘Internet of Things’. According to the firm, the potential of IoT will be disruptive, with the number of interconnected devices globally to reach 50 billion by 2020.

The IoT will have sensing, analytics and visualisation tools, which can be accessed by anyone, anytime and anywhere in the world on a personal, community or a national level. Most IoT devices will use sensor-based technologies, in which the sensors will identify or measure any change in position, location, etc.; these sensors will transmit data to a particular device or server, which in turn will analyse the data to generate the “information” for the user. This processed (depending on how it is leveraged) information can then be used in a variety of contexts.

The stated benefits of the technology, according to EY, will penetrate and influence many facets of human activity. From devices that monitor health, devices that monitor city infrastructure for wear and tear, devices that manage traffic or the efficacy of fleet movements, to devices that optimise the production of goods in manufacturing value chains. There are a plethora of applications for the possible improvement of processes.

Risk Landscape

While the apparent benefits of the IoT are wide ranging, a number of barriers exist to the safe deployment and use of a system of sensors that essentially tracks and monitors everything human beings do, as well as those that control industrial processes. One of the key risks is security – according to EY’s research currently a staggering 70% of IoT devices contain cyber-security vulnerabilities. Furthermore the way in which they are used by consumers often exhibit naïve trusting behaviour with something that has access to considerable personal information, implying the question is not ‘if’ but ‘when’ a security breach will occur from a sophisticated hacker. Going forward, the advisors note that in the coming years the quality and quantity of threats and attacks are set to increase as hackers become more experienced and traditional tools to mitigate risks become less effective.

Last year 24% of large UK firms say they are aware of a cyber-infiltrator that successfully penetrated their business*, while 12% of small businesses know of a successful infiltration. As it stands 56% of organisations admit they cannot prevent an attack from a sophisticated opponent. One of the issues, according to EY’s report, is that technological boundaries are continuing to expand as millions of vulnerable devices are integrated into digital networks, with each new interfaces added a new point of entry for a sophisticated adversary. The result is a digital landscape that is essentially unmanageable from a cyber-security perspective.

Three A model

Examples of risks need not even be limited to a massive introduction of IoT devices, with the expectation that 253 billion apps will be downloaded by 2017 itself a significant threat, or that the number of mobile devices, which have exploded in recent years, come with their own myriad assortment of vulnerabilities, or that information and privacy policies and their implementation are fragmented and create significant risks for consumers, from rogue marketers to identity fraudsters.

Being faster than the other
With the risks of cybercrime considerable, and are likely to increase with the development of ever more connections, EY recently developed an apporach to support companies with protecting their digital frontier. “Organisations can develop strategies and perform a number of activities that can improve their security fitness”, comments Paul van Kessel, Global Risk Leader at EY. The methodology the firm developed – based on research and hundreds of engagements – centres around eight key elements. “To protect a company’s cyber frontier, a clear security strategy is needed that focuses on the extended cybersecurity ecosystem, including partners, suppliers, services and business networks”, says Van Kessel. It in addition involves a range of “softer elements” typically overlooked, such as wider training of staff in relation to cyber threats and HR-policies. “It is important to remember that cybersecurity is a business-wide issue and not just a technology risk.”

Paul van Kessel and Ken Allan - EY

By considering the most likely threat angles and developing tools framed by the model to mitigate vulnerabilities, a company’s overall cyber defence maturity can be boosted “significantly”. Equally important, a preventive strategy lowers the attractiveness of the organisation as a target. With the right strategy and structure in place, organisations can then work on growing their overall maturity. According to Ken Allan, Global Leader Cybersecurity at EY, organisations’ responses to cybercrime fall into three distinct stages of cybersecurity maturity — Activate, Adapt and Anticipate (EY has dubbed this the Three A’s model) – and the aim should be to implement ever more advanced cybersecurity measures at each stage.

“Security is usually positioned as an obligatory cost – a cost to pay to be compliant, or a cost to pay to reduce risk. But moving to a model of security as risk and trust management implies looking upon security as a business enabler. In fact, this transformation means enabling the development of even more extended networks of networks, of more and new forms of collaboration and mobility, and of new business models. Security as a plus should be a mainstay of the business”, concludes Allan.

* According to a recently released UK Government report ‘2014 Information Security Breach Survey’.