IoT’s Infancy and What It Means for Capital Markets Firms

Like many people using Internet of Things (IoT) devices, I all too often forget that they are vulnerable to cyber threats. In fact, I did not realize how many internet-enabled gadgets I own. As more of these devices enter the workplace, it is worth investigating what firms can do to protect themselves from cyber-attacks. 

One basic step companies can take is to set up a separate Wi-Fi network where IoT devices can connect without touching the corporate network—and therefore, its sensitive data. Guest Wi-Fi networks were developed during the bring-your-own-device (BYOD) debate of several years ago. But IoT may still seek out similar devices to “talk” to that may be on the protected network, and, more worryingly, these still provide computing power for attackers.

As I reported in my feature this month, at first blush, controls around IoT seem like an easy extension of BYOD policies, although these also offer an interesting challenge to security professionals, particularly since there is very little in-built protection, according to William Beer, a principal at consultancy EY.

“These devices don’t necessarily have the same level of security built in as some other systems, so it requires a considerable mind shift in the security industry, especially now that they are struggling to support organizations,” Beer says. “They’re struggling to offer services to firms with existing technology and now you’re going to add in IoT, so there needs to be a wakeup call to the industry not to repeat the same mistakes many years ago when internet security was starting out.”

Joshua Satten from Sapient says one of the questions around IoT is its growth, since the technology is still in its infancy. “IoT is emerging as a new technology and that’s where it becomes very difficult for companies,” Satten says. “It’s hard to adapt new technologies and create protections around them if it’s still being developed.”

Satten notes that there are still many issues around privacy and data collection that need to be hashed out as well as determining which appliances really need to be IoT-enabled. What is important from both experts’ perspectives is that businesses shouldn’t repeat the same mistakes from years ago, by believing these new technologies will not be brought into offices until they are fully developed or secure. These devices are already in the workplace, so it’s important to begin awareness programs as soon as possible. 

Whether firms like it or not, many of their employees have already brought IoT devices to the office. Many have their own IoT-enabled technologies at home that can communicate with their home laptops, illustrating how pervasive the technology can become. As an example, how many employees have internet-enabled security systems or door cameras that transmit live footage to smartphones? 

Likewise, keeping track of just how connected you are is important from a security perspective. If you’re carrying an iPhone, an iPad, a Tile key, a Kindle, a laptop, a smartwatch, a Fitbit, or a handheld videogames console in your bag, that’s at least seven connections to the company network that need to be monitored. Factor in the external connections these create to home IoT devices, and that number expands enormously. It’s these awareness programs, more than anything else, that will really start protecting the company.

Moving Beyond

The challenge for IoT devices with respect to their widespread use by capital markets firms is how they go about moving beyond just helping people learn how to spell or find their missing car keys. “There are two strands within IoT,” says EY’s Beer. “The first is how it can be used by employees, and the second is how banks can potentially use these kinds of technologies to help create innovative services for clients.”

According to Beer, a good business case has to be developed for why IoT devices—particularly personal speakers and personal trackers—should be in the workplace before they are fully vetted. Other devices like personal trackers can provide important health information for employees with serious conditions, but like all IoT devices, they must also be robust enough to protect that personal information and ensure that it isn’t compromised or stolen.