What IoT related security issues are CIOs currently facing?

1.5k views1 Upvote4 Comments

CISO in Software, 51 - 200 employees
It's already hard to patch everything, because we don't just have Windows and Mac and servers anymore. Now we also have all these devices and IoT, some of which you can't even upgrade. A few months ago, I was talking to someone who had bought a Philips light bulb. He's an IoT engineer, so when he saw that a firmware update came out for the light bulb, he tried to figure out how to install it. He called Philips and asked, "How do I install the firmware upgrade?" And they didn't know. Eventually he figured it out. He picked apart the light bulb somehow so that he could tether a USB cable, and then he was able to upload the firmware to the light bulb. He said, “There’s no way a normal human could do that when an upgrade comes out.”

At some commercial farms, they have thousands of these moisture sensors. And at one farm I heard about, when there was a problem with one sensor, they had to upgrade all of them. But there was no way to do those upgrades all at once; you have to do them individually because there's no central patch management system for that. Now there are companies springing up that are trying to do this, but when there are millions upon millions of these IoT devices, how do you connect to all of them when they're all different? They have different upgrade paths. It's not like you're just patching software. It's going to be an interesting future, that's for sure.
1 1 Reply
VP - Head of Information Technology in Software, 1,001 - 5,000 employees

It reminds me of Jurassic Park: you were so busy trying to figure out if you could make a wifi-capable light bulb that you didn't ask yourself if you should. Obviously, there's a need for it, but security was never first. In my industry, my experience has been that security is never the first thought. I remember when Windows 2000 came out, and Microsoft was like, “We know we haven't taken security seriously enough for Windows NT 4.0, but for Windows 2000 we've nailed it. This is really good.” And then they put one out on the internet and it was compromised in about 10 minutes. Security has never been first; it isn't even first when people say it is. So we're always going to be dealing with that. But it's hard to quantify there and figure out the risk as the rest of the world changes.

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
A lot of these IoT things automatically update on their own. For example, with home surveillance kits, you can't even manually update the cameras. You have to wait for them to push it down. But if a bad actor gets in there, and they send out the wrong code, thousands of people will get hacked. You can't even block automatic updates. That seems like a pretty big risk.
Director of IT in Software, 201 - 500 employees
We have seen a massive improvement in fishing detection by our employees after doing security awareness training. Overall we have seen employees less keen to click on links on emails or respond to unknown senders, overall improvement in them being more diligent and suspicious, more often will check with IT/Security team before they go to a website or try to download something.

Technology helps a lot, but in my opinion, employees are the weakest link in a chain so security awareness training is a must for every organization.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.5k views131 Upvotes319 Comments

Yes, it helps establish credibility.34%

No, it's a barrier to entry.44%

It's nice to have, but doesn't need to be a requirement.21%

I'm not sure.0%



Fraud mitigation19%

Protection of reputation and brand56%

Protection of consumer data19%

Regulatory or compliance requirements6%