Cyber threat actors continue to proliferate, constantly evolving or creating new attacks, vectors and techniques that make defense seem a nearly impossible task. Our cyber welfare is further complicated by the Internet of Things (IoT), which has made virtually every device a network entry point. First generation IoT device capabilities generally focus on differentiating ease of use, external support convenience, data handling and integration with other devices, applications and workflows. In the rush to realize competitive value and sell the product, little thought may be given to security, cyber threats, data protection and other exposures that could result.
The next generations of connected devices should be required to support mechanisms to validate that a connecting device is, in fact, a credentialed device. Perhaps a digital fingerprint or retinal scan for device validation can be created that serves to verify that a connected device is a wanted and authorized connection. That will keep a network more secure and not allow unwanted access by way of something like a refrigerator.
These sorts of authentication services need to be embedded in IoT devices’ operating systems so that institutionally personalized configuration is a hard requirement. And device authentication should be periodically refreshed. The ideal is for IoT devices to have security threat monitors and dashboards that confirm regular maintenance, recognize attacks, track any compromise and trigger out of cycle resets or shut down if an attack shows signs of success.
For many companies, two-factor or multi-factor authentication has become an absolute, if awkward and frustrating, necessity. Phishing drills, reporting tools, and awareness training combine with periodic password resets to help reduce the ease of success cyber criminals experience with voluntary trusted credential compromises – and they are all good things. Multi-factor authentication is still a necessary layer of defense because it confirms that you are really you.
As personal device sensitivity and security improve, using a fingerprint or retinal scan may become a viable alternative to text-back or call-back validation for mobile, personal connectivity. These sorts of validations verify that the person using a mobile device is the actual trusted individual and not someone who has stolen the device or hijacked validation messaging along with credentials.
All this may sound like stuff of a good spy novel, but real life often follows from fiction! Best to be ahead of the bad guys.
Gary Seay is Principal of BrightWork Advisory, LLC, a practice focused on enabling innovative healthcare solution success. He also spent 18 years at Community Health Systems, Inc. as Senior Vice President and CIO. There, Seay built and led a full service corporate IT organization of over 650 corporate professionals and 1,000 market based staff members for a $19 billion healthcare system. Mr. Seay is an author, speaker and advisor possessing extensive executive experience with major healthcare provider systems, managed care organizations, venture capital firms and academic programs. He can be reached at josephgseay@BrightWorkAdvisory.com.