Bring Your Own Things
Just like the widespread use of personally owned mobile devices led to the “bring your own device” (BYOD) phenomenon, the rapid acceptance and proliferation of the internet of things (IoT) will probably lead to a situation where employees bring their personal IoT devices into the workplace. This will almost certainly cause security and privacy issues, and the problems caused by these will probably be cheaper and easier to solve if they are addressed before the bring your own things (BYOT) phenomenon grows to the point where it becomes difficult to manage.
The term “BYOD” was probably first used in 2009 to describe the situation where employees were using their personal smart phones, tablets and similar devices in the workplace. BYOD quickly gained in popularity. Now, there are now lots of attempts to define best practices for BYOD and consultants that specialize in the security and privacy issues around BYOD are fairly common. The US government had even published a standard that describes how BYOD should be managed in a business environment by 2016. Today, just eight years later, BYOD is the norm instead of the exception.
Technology is changing faster today that it was eight years ago, so the adoption of BYOT will probably happen faster than the adoption of BYOD, so it will probably be less than eight years before personal use of IoT technology is widespread. If it has not already happened, there will soon be more IoT devices than there are people, and many of these devices will be carried or worn in the workplace by employees. There are currently no standards for BYOT security, and there is no army of BYOT consultants yet. So it looks like it will be up to us to figure out best practices for understanding the issues around the BYOT phenomenon and how to effectively manage it. This may turn out to be trickier than it was for the BYOD problem.
People typically understand that there can be lots of sensitive data on a smart phone or tablet, so they easily understand the need to protect the information on these devices. They easily understand that the personal information about the people on their email or text messaging contact list is sensitive. They easily understand that the content of any emails or text messages that they have sent is sensitive. And they easily understand that work-related documents and spreadsheets are sensitive.
With IoT devices, however, it is not as clear that the information that they carry needs to be protected. Can even the world’s most clever hacker really find a way to exploit how many steps you have taken today or what songs you are listening to (both of which are managed by various IoT devices)? Maybe they cannot, but that is not the most serious security and privacy issue around BYOT. Instead, the biggest risk may be in the ways in which a clever hacker can find a way to reconstruct sensitive information from two or more types of sensitive data, each of which looks perfectly innocent by itself. The ability to do this is very similar to the way in which hackers can combine different types of information to uniquely identify an individual, even without any information that uniquely identifies the individual.
Information that does not uniquely identify an individual but which can be combined with other similar pieces of information is called a “quasi-identifier.” Names, medical record numbers, or Social Security numbers are enough to uniquely identify an individual. Information like date of birth, gender or home ZIP code are not enough to uniquely identify an individual, but research suggests that these three pieces of data together are enough to uniquely identify about 87% of the population of the US.
Similarly, it is very likely that clever hackers can find useful patterns in combinations of data from IoT devices. Each of the types of data by themselves may seem to be of no value, but a clever analysis of two or more of them together may provide a surprising amount of information. Some combinations will probably reveal things that would be considered sensitive. Some might even reveal data that is regulated by one or more of the data security and privacy laws that currently complicate the lives of CIOs.
So it seems reasonable to consider data on any IoT device as “quasi-sensitive,” and protect it just like it was actually sensitive data. Doing this is probably a good first step towards managing the loss of sensitive information that may accompany the widespread use of IoT devices, particularly when they are part of the future in which BYOT becomes widespread. BYOT may be the future, but it does not have to be a future in which lots of sensitive data is inadvertently revealed to hackers, and protecting absolutely any information managed by IoT devices is a good first step in that direction.
This originally appeared in the Spring 2017 issue of Connect Converge, the magazine for the HPE NonStop audience.