cyber security in the era of internet of things · 4. identifying, implementing security controls...

5th National ICT SUMMIT

CYBER SECURITY in the Era of Internet of Things

– TRENDS and THREATS –Illegal devices and Legislation towards their Management

16th October 2018

Mr. Philip HIKUMWAH

Syntex Technologies®2018

1

AGENDA• What is IoT (Internet of Things)

• Components of IoT

• Why IoT ?

• Application of IoT

• Challenges faced by IoT

• IoT Security • Top 5 Security Challenges

• IoT Security Management – SECURITY FRAMEWORK - COMPLIANCE

• GLOBAL CYBERSECURITY INDEX (GCI) – AFRICAN RESULTS ANALYSIS

• GCI STANDARDS

• LEGAL, TECHNICAL, ORGANIZATIONAL, CAPACITY BUILDING, COOPERTION

• AFRICAN ANALYSIS

• SADC ANALYSIS

• NAMIBIA Vs TOP AFRICANS COUNTRIES

• NAMIBIA Vs SADC

• CyberSecurity and IoT: What Role for GOVERNMENT?

• CONCLUSION


2


3

What is IoT (Internet of Things)

The Internet of Things (IoT) is the network of

physical objects—devices, vehicles, buildings and other items

embedded with electronics, software, sensors, and network

connectivity—that enables these objects to collect and exchange data.


In simple words, Internet of Things (IoT) is an ecosystem of

connected physical objects that are accessible through the internet.

THINGS CONNECTIVTY DATA ANALYTICS

4


1st

• Mechanization, Water Power, Steam Power

2nd

• Mass Production, Assembly Line, Electricity

3rd

• Computer and Automation

4th

• Cyber PhyscialSystems

What is IoT (Internet of Things)

IoT is a catalyst for the

4th Industrial Revolution

5

Components of IoT


Smart Systems and Internet of Things are driven by a

combination of :

SENSORS

CONNECTIVITY

PEOPLE & PROCESSES

IoT

SENSORS

CONNECTIVITY

PEOPLE and PROCESSES

6

WHY IoT ?

• IoT IS ENABLING A NEW WAVE IN DIGITAL BUSINESS TRANSFORMATION

Dynamic control of industry and daily life.

Improves the resource utilization ratio.

Integrating human society and physical systems.

Flexible configuration.

Acts as technology integrator.

Universal inter-networking.


7

Current status & future prospect of IoT


World Population

Connected Devices

Connected DevicesBy Person

6.3 Billion 6.8 Billion 7.6 Billion

500 Million 12.5 Billion 23.14 Billion

7.6 Billion

50 Billion

0.08 1.84 4.25 6.58

2003 2010 2018 2020

More Connected

Devicesthan

People

8


APPLICATION

of

9

Application of IoT


10

Syntex Technologies®2018You name it, and you will have it inIoT!

Application of IoT ● Facilities

○ Building Temperature Control Systems○ Electrical Systems○ Lighting Systems○ VoIP Phones○ Trash Cans○ Water Sensors for Floods○ Building Equipment Monitoring

■ Motors, Pumps, Boilers, etc.● Safety

○ IP Video Surveillance○ Fire Alarm and Life Safety Systems○ Security Alarms○ Electronic Door Access○ IP enabled Police and Security Teams○ IP Enabled Police Vehicles

● Classroom Technologies○ Clickers in the Classroom○ Projectors○ IP Streamed Audio○ Computer Presentation Integration

● Tutoring Spaces○ Check in / out for Tutoring○ AV equipment○ Scheduling Devices

● IP Connected Laboratory Equipment○ Refrigerators○ Microscopes○ Laboratory Probes (Frog Sensors)

● Research○ IP Connected Laboratory Equipment

■ Gene Sequencers■ Functional MRI Machines■ Irradiators

○ Refrigerators○ Microscopes○ Laboratory Probes (Frog Sensors)

● Staff Offices○ Multifunction Printers○ Coffee Makers / Microwaves○ IP connected mailboxes○ Conference Room Scheduling ○ Conference Room Presentation Systems○ Time Clocks

● Transit Services○ Vehicle Location Tracking & Reporting○ Rider Tracking and Verification○ Safety Monitoring○ Rider Entertainment / Information○ Parking Control and Wayfinding○ Parking Pay Stations

● Residential Services○ Entertainment○ Building Safety○ Utility Monitoring and Bill Back○ Building Access Control○ Laundry Services

● Disability Services○ Text to Speech○ Speech to Text○ Call for Help○ Health Monitoring○ ADA Route Wayfinding○ ADA Parking

● Sports and Fitness○ Wearable Fitness Trackers○ IP connected Sports Equipment

■ Treadmills, Bikes, etc.…○ Attendance / Admission Control○ Sporting Event Management / Fan

Interaction■ Microphones to measure cheering

levels during events■ Ticket / Seating Verification■ Venue Facilities Management

● Physical and Mental Health○ Appointment Scheduling○ Medical Appointment Notes○ Diagnostic Medical Equipment11


Challenges faced by IoT

At present IoT is faced with many challenges, like -

Scalability

Technical requirements

Technological standardization

Software complexity

SECURITY

12

Do you Trust your IoT Data & Collector?

• Do you trust the data you are collecting and/or using?

• Do you trust who is collecting the data from you?


13

IoT Security ?

• The BARCODE was designed to SHARE information

• The RFID TAG was designed to SHARE information

• NETWORKS were designed to SHARE information

• The IoT System was designed to SHARE information

• Security was an AFTERTHOUGHT (what are the security threats?)

(and it continues to be an afterthought today… )


What Went Wrong?

14


More Devices, More Data, More

Opportunities,

and More RISKS…

15

• The IoT technologies have been around for a long time

• Advances in communication and connectivity are allowing the “interconnectedness” needed for IoT

• The value is in the DATA not the connections

• The DATA allows you to make autonomous decision based on business rules closer to the edge

It’s all about the DATA!


16

IoT Security: New Things?

• In the era of IoT,• Do we need new concepts to describe IoT security ?

• Do we need new security models for IoT?

• AND• What is the gap between IoT security and existing security solutions?

• When cloud arrived, what did we do for new solutions?

• When smart phones and BYOD come, what did we do?

• What makes IoT different from the last two major waves?


17

• Problems and security challenges• New devices for endpoint security

• New firmware, embedded OS, new software.• It is not possible to support AV on every device.

• New transport protocols for making network security DIIFICULT!

• Much more network traffic for security analysis• Bad news for large enterprises as network security is already

complex and cumbersome



18


ATMa((Automated Teller Machine)

Airline Check-in Machines

Connected Cars

Digital Sensing

Computing

Communication

New Devices with New Capabilities : For example

Year 2020

Existing Connected Things

…


WHAT IS NEW ??

19

Syntex Technologies®2018PLATFORMS

SECURITY TECHNOLOGY

IoT SECURITY means new opportunities for a security professional i.e (SYNTEX

TECHNOLOGIES) to develop Novel Security SOLUTIONS!

ENDPOINT Security

GATEWAY Security

MOBILE Security

CLOUD Security

SNS Security

SDN Security

IoT Security

IoT Security: New Field?

20

• IoT Security Top 10 Vulnerabilities (OWASP Source):• I1 Insecure Web Interface

• I2 Insufficient Authentication/Authorization

• I3 Insecure Network Services

• I4 Lack of Transport Encryption

• I5 Privacy Concerns

• I6 Insecure Cloud Interface

• I7 Insecure Mobile Interface

• I8 Insufficient Security Configurability

• I9 Insecure Software/Firmware

• I10 Poor Physical Security


IoT Security - Vulnerabilities

21

• Seven IoT security Risks:1. Disruption and denial-of-service attacks2. Understanding the complexity of

vulnerabilities3. IoT vulnerability management4. Identifying, implementing security controls5. Fulfilling the need for security analytics

capabilities6. Modular hardware and software

components7. Rapid demand in bandwidth requirement


IoT Security: Risk Management

22


IoT Security: CYBER ATTACKS Threats

23

Top 05 IoT Security Challenges

• The security of the “thing” is only as secure as the network in whichit resides: this includes the

• People,

• Processes,

• and technologies involved in its development and delivery


/!\/!\

24

• IoT technology requires a shift in mindset, particularly for devices that hold important financial and personal information.

• However, not all IoT devices are secure enough to prevent identity theft and security breaches

• What’s more,

Biometric authentication, such as fingerprint scans and voice recognition, canprovide a safer way of securing data, using tech that is already familiar to manymobile phone users.


1. Identity Theft & Unsecured End-Devices

87% Entreprise worry about Vulnerabilities

within IoT Devices

Even with increased security at the end-user level, hackers can still infiltrate your network or data centre

25


87%81%

75%

39%

2% 2%

0

10

20

30

40

50

60

70

80

90

100

Vulnerabilities in the DevicesThemselves (IoT Securiy Concern)

Data Leakage Access Control Asset Mangement IoT does not pose any SignificantSecurity Concern

Other

87 percent of enterprises worry about vulnerabilities withinthe IoT devices themselves

%

1. Identity Theft & Unsecured End-Devices

26


2. Insufficient Patching & Testing

One of the biggest IoT security challenges for

smart devices is also a common threat to all

software deployments:

Inefficient patching.Outdated devices may contain dangerous

bugs or vulnerabilities that hackers can target

and therefore pose a risk to the organisation’s

data security.

65%60%

90%

0

10

20

30

40

50

60

70

80

90

100

Concerned hackers will

control their IoT devices

Worried their IoT data will be

leaked

Believe there should be IoT

security regulation

Consumers Concerns %

27

• A recent security report recommends that vendors don’t sell IoTdevices with default credentials (such as the username‘admin’). However, these are only guidelines andmanufacturers don’t necessarily have to follow them.

Weak login details leave your financial IoT devices vulnerableto brute-force attacks.

Without the right security measures, the business assetsand customer information are at High risk!


3. Default passwords and brute-force hacking

28

• It’s vital that Organizations and companies invest in the appropriate safeguarding measures when processing IoTdata.

• For example, a financial organisation that processes masses of sensitive data, one breach could potentially ruin its reputation and customer trust.

• Although keeping the IoT data in sight seem to offer an added sense of physical security, processing the information on-premise is a big IoT security challenge.

• Without the right expertise or physical hardware, compromised or stolen infrastructure puts you at great risk


4. IoT Data processing

29

• More than 70 percent of organizations admit that the rapid deployment ofnew technologies - such as the cloud, big data and IoT – is a larger priority thansecuring their infrastructure and network.


5. Multi-layer Data Management & Security

But, while the Internet of Things is a trending business

investment for organizations, it should never come at the

expense of weakened defenses.

To keep the business and customers safe, security need to

be placed at the heart of all investments, ensuring to keep

IoT security challenges in mind across all layers of the

network:

30

5. Multi-layer Data Management & Security

• Investing in a compliant, transparent and secure IoT hub, on a safe platform, can ensure your data remains safe throughout your Internet of Things journey and can allow you to detect threats before they cause irreversible damage.

• There are IoT Security solution that allow to secure and manage billions of different IoT devices, with functions such as applying identities and credentials to individual devices.

• With built-in cloud security, the IT team spends less time on routine patching and monitoring and more time analysing IoT data for business-driven insights:


End-point devices

Embedded software

Communications

Cloud platforms

Web, cloud and mobile applications31

• IoT will merge the following DOMAINS


INFORMATION SECURITY

OPERATIONAL SECURITYPHYSICAL SECURITY

INFORMATION TECHNOLOGY SECURITY

IoT

IoT Security Management

32

Internet of Things security spending ($)


Internet of Things security spending worldwide from 2016 to 2021 (in million U.S. dollars)

33

Cybersecurity

outcomes and

informative references

Enables

communication

of cyber risk across

an organization

Describes how

cybersecurity risk is

managed by an

organization and

degree the risk

management

practices

exhibit key

characteristics

Aligns industry standards and best practices to the

Framework Core in an implementation scenario

Supports prioritization and measurement while factoring in

business needs


34

IoT Security CYBERSECURITY Framework

• Compliance is a critical component of any security program. Compliance lives by the rule that states We Trust but Verify. The concept is that we must obtain evidence of compliance with stated policies, standards, laws, regulations, etc. in order to issue the proper attestations as required.

• REGULATORY COMPLIANCE FOR CYBERSECURITY

• ISACA SSH Audit Practitioner Guidance

• HIPAA Security Rule

• ISO/IEC 27001:2013

• NIST Cybersecurity Framework

• NIST IR 7966 on SSH Keys

• NIST SP 800-53 / FISMA Law

• PCI DSS Compliance

• SANS Top-20 Critical Security Controls

• Sarbanes-Oxley Act

• EU GDPR

• BASEL Accords for Banks

• Compliance, which is only a point in time, is directly impacted by the ever changing and always evolving rules and regulations which makes it quite challenging for organizations to maintain a sound compliance posture. The continuous expansion and extension of our production environments also adds to the compliance challenges we all face today.


35

IoT Security – COMPLAINCE

https://www.ssh.com/compliance/isaca/

https://www.ssh.com/compliance/hipaa/security-rule

https://www.ssh.com/compliance/iso-27001/

https://www.ssh.com/compliance/cybersecurity-framework/

https://www.ssh.com/compliance/nist-7966/

https://www.ssh.com/compliance/nist-800-53/

https://www.ssh.com/compliance/pci/

https://www.ssh.com/compliance/sans-top-20/

https://www.ssh.com/compliance/sarbanes-oxley/

https://www.ssh.com/compliance/eu-gdpr/

https://www.ssh.com/compliance/basel-iii/


Case Study: Lessons Learned from Past Experiences

• All software can contain vulnerabilities

• Public not informed for months

• Vendors may delay or ignore issues

• Product lifecycles and end-of-support

• Patching IoT devices may not scale in large

environments

36


•Allow only designated people/services device or data accessTrust

•Validate the identity of people, services, and “things” Identity

•Ensure device, personal & sensitive data is kept privatePrivacy

•Protect devices and users from harmProtection

•Provide safety for devices, infrastructure and peopleSafety

• Maintain security of data, devices, people, etc.Security

IoT Security: Build TIPSSS Approach

37


GLOBAL CYBERSECURITY SCORES – AFRICAN RESULTS ANALYSIS

38

Heat Map of NatonalCybersecurity CommitmentsOut of the 193 Member States,

there is a huge range in

cybersecurity commitments, as

the heat map below illustrates.

Level of commitment: from

Green (highest) to Red (lowest)


GLOBAL CYBERSECURITY SCORES– WORLDWIDE RESULTS

The second edition of the Global Cybersecurity Index 2017, released by the International

Telecommunications Union (ITU), an agency of the United Nations, measured the commitment of ITU

Member States to cybersecurity and highlighted a number of illustrative practices from around the world.

39

• Out of the 44 Member States in Africa, a quite low general level of cybersecurity commitment can be observed.

Level of commitment: from Green (highest) to Red (lowest)


GLOBAL CYBERSECURITY SCORES– AFRICAN CALISSIFICATION

40

• Disintegration at the international level and low commitment in Africa may be caused by conflicts in the past and the lack of capacity building in the region

GCI Heat Map by AFRICAN sub-region

Level of commitment: from Green (highest) to Red (lowest)



41

LEGAL

CybercriminalLegislation

CyberSecurityRegulation

CyberSecurityTraining

TECHNICAL

National CIRT

Government CIRT

Sectoral CIRT

Standards for Organizations

Standards and Certifications for

Professionals

Child Online Protection

ORGANIZATIONAL

Strategy

Responsible Agency

CyberSecurityMetrics

CAPACITY BUILDING

StandarizationBodies

Good Practices

R&D Programmes

Public AwarenessCampaigns

Professional Training courses

National Education

Programmes and accademiccurricul

a

Home-grownCyberSecurity

Industry

COOPERATION

Intra-State Cooperation

MultilateralAgreements

International fora participation

Public-PrivatePartnerships

Inter-Agency Partnerships

Conceptual frameworkThe five pillars of the GCI are briefly explained below:

1. Legal: Measured based on the existence of legal institutions and frameworks dealing with cybersecurity and cybercrime.

2. Technical: Measured based on the existence of technical institutions and frameworks dealing with cybersecurity.

3. Organizational: Measured based on the existence of policy coordination institutions and strategies for cybersecurity development at the national level.

4. Capacity Building: Measured based on the existence of research and development, education and training programmes; certified professionals and public sector agencies fostering capacity building.

5. Cooperation: Measured based on the existence of partnerships, cooperative frameworks and information sharing networks

GLOBAL CYBERSECURITY SCORES– CONCEPTUAL FRAMEWORK


42

GCI Groups Report

African’s Member States were classified into three categories by their GCI score

Leading stage refers to the 6 countries (i.e., GCI score in the 50th percentile and higher) that

demonstrate high commitment.

Maturing stage refers to the 11 countries (i.e., GCI score between the 20th and 49th

percentile) that have developed complex commitments, and engage in cybersecurity

programmes and initiatives.

Initiating stage refers to the 27 countries (i.e., GCI score less than the 20th percentile) that

have started to make commitments in cybersecurity.



43

00.10.20.30.40.50.60.70.80.9

GCI GLOBAL SCORE – AFRICAN REGION


AFRICAN REGION SCORES

44

Mauritius South Africa Botswana Tanzania Zambia Mozambique Zimbabwe Seychelles Madagascar Lesotho Malawi Angola Namibia SwazilandDR of the

Congo

GCI Global score 0.83 0.502 0.43 0.317 0.292 0.206 0.192 0.184 0.168 0.094 0.084 0.078 0.066 0.041 0.04

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9G

CI I

ND

EX

GLOBAL CYBERSECURITY INDEX SCORE & WORLD RANK- SADC REGION -


SADC REGION SCORES

45


Congo

GCI Global score 0.83 0.502 0.43 0.317 0.292 0.206 0.192 0.184 0.168 0.094 0.084 0.078 0.066 0.041 0.04

6

58

69

8891

109 113 115 121

143 145 146 151160 161

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9G

CI I

ND

EX

GLOBAL CYBERSECURITY INDEX SCORE & WORLD RANK- SADC REGION -


SADC REGION SCORES

46


Congo

GCI Global score 0.83 0.502 0.43 0.317 0.292 0.206 0.192 0.184 0.168 0.094 0.084 0.078 0.066 0.041 0.04

6

58

69

8891

109 113 115 121

143 145 146 151160 161

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9G

CI I

ND

EX

GLOBAL CYBERSECURITY INDEX SCORE & WORLD RANK- SADC REGION -Leading

Stage

MaturingStage

InitiatingStage


SADC REGION SCORES

47

0

0.2

0.4

0.6

0.8

1

1.2

Mauritius South Africa Botswana Tanzania Zambia Mozambique Zimbabwe Seychelles Madagascar Lesotho Malawi Angola Namibia Swaziland DR ofthe Congo

SADC SCORES - ALL PILARS (Legal , Technical, Organization, Capacity, Cooperation)

Legal Score Technical Score Organizational Score Capacity Score Cooperation Score


SADC REGION SCORES

48


49

NAMIBIA Results Vs TOP 3 AFRICAN COUNTRIES

0.83 0.85

0.96

0.74

0.91

0.7

0.6

0.6

0.7

1

0.7

9

0.6

6

0.2

8

0.5

7

0.7

5

0.7

3

0.3

6 0.4

1

0.6

0.066

0 0 0

0.169 0.158

GCISCORE

LEGAL TECHNICAL ORGANIZATIONAL CAPACITYBUILDING

COOPERATION

NAMIBIA VS TOP 3 AFRICAN COUNTRIES

Mauritius Rwanda Kenya Namibia


50

Rwanda, ranked second in Africa,

• Scores high in the organizational pillar and has a standalone cybersecurity policy addressing both the public and private

sector.

• It is also committed to develop a stronger cybersecurity industry to ensure a resilient cyber space.

Kenya, ranked third in the region,

• Provides a good example of cooperation through its National Kenya Computer Incident Response Team Coordination

Centre (National KECIRT/CC).

• The CIRT coordinates at national, regional and global levels with a range of actors.

• Nationally this includes ISPs and the financial and educational sectors; regionally it works with other CIRTs through the

East African Communications Organization;

• and internationally it liaises with ITU, FIRST, and bi-laterally with the United States and Japan CIRTs among others.


GCI TOP 3 AFRICAN COUNTRIES ANALYSIS (RWANDA & KENYA)

51

• MAURITIUS Among WORLD TOP 10 in CYBERSECURITY Preparation!

0

0.2

0.4

0.6

0.8

1

1.2

Singapore United States Malaysia Oman Estonia Mauritus Australia Georgia France Canada

TOP 10 GCI SCORE IN ALL PILARS

GCI Score Legal Technical Organizatonal CapacityBuilding

Cooperaton

GCI TOP 3 AFRICAN COUNTRIES ANALYSIS (MAURITIUS)


52

Mauritius is the top ranked country in the Africa region And Ranked 06th WORLWIDE

• It scores particularly high in the legal and the technical areas.

• The Botnet Tracking and Detection project allows Computer Emergency Response Team of

Mauritius (CERT-MU) to proactively take measures to curtail threats on different networks within

the country.

• Capacity building is another area where Mauritius does well.

• The government IT Security Unit has conducted 180 awareness sessions for some 2000 civil

servants in 32 government ministries and departments.

GCI TOP 3 AFRICAN COUNTRIES ANALYSIS (MAURITIUS)


53

CyberSecurity and IoT: What Role for GOVERNMENT?

The cyber community is seeing an increase in dialogue between legislators and companies developing IoT devices about the

need for regulatory oversight and whether government intervention to secure IoT is needed — or should be feared.

What is government’s role in securing the IoT (Internet of things)?

Government cannot solve the entire problem, so it first needs to understand its role and make the most of it.

Government as IoT end user. Like Public Administrations and Utilities, Universities, Schools, law enforcement, and

other government functions can take advantage of the new technologies to break traditional trade-offs and find

innovative ways to serve the public.

Government as infrastructure provider. Just as governments are responsible for building and maintaining their

countries’ highways for vehicles, they may be called upon to provide the infrastructure for the IoT.

Government as regulator. New technologies necessarily bring with them new uncertainties about their use. These

uncertainties represent a risk to the public, which governments at all levels are responsible for ameliorating.


54

Government as RegulatorGovernment cannot take action to regulatefast-moving technology

InnovatorsLack of regulatory calrity hinders techoptions, further delaying Final formats/users

Government acts in its role as:• USER• Infrastructure Provider

InnovatorsKnow the parameters of responsible use; have goods examples and right tools to do it



SOLUTION

55


CyberSecurity and IoT: What Role for GOVERNMENT?Common Bottleneck to information Flow GOVERNMENT ACTION NEEDED to

support responsible development of IoT

WAYS AHEAD

COMMUNICATECompetition for Limited bandwidtch can slow

development

GOVERMNET must act as

INFRASTRUCTURE PROVIDER to

ensure effective bandwidtch

AGGREGATELack of Common Standards can limit

aggregation of Data

Industry is leading, NO GOVERMNET

action is needed

ANALYZEAnalyse of such volumes and new types of

Data can create Privacy issues

GOVERNMENT must act as

REGULATOR to protect consumers

Use Role of GOVERNMENT as USER of IoT to set

GOOD EXAMPLES

Use Role of GOVERNMENT as INFRASTRUCTURE

PROVIDER of IoT to reduce FUNCTIONS CREEP

Use Role of GOVERNMENT as BOTH USER of IoT

and INFRASTRUCTURE PROVIDER of IoT to enable

TRANSPARENCY GOOD

56

The government needs to identify and protect systems with a cyber-shield

— rather than the piecemeal, element-by-element approach

Government also has an important role when it comes to convening and

leading forums to establish best practices for the creation of a secured

ecosystem, including infrastructure frameworks that contain IoT within

them.

If there’s one thing government can do better than industry, it is to

assemble the best brains and talent in the country, from a cross-section of

disciplines — software, hardware, manufacturing, AI — to focus their

expertise on the challenges we face and to ask the right questions.

Another role government can play is to be the national educator — this will

put pressure on vendors to start investing more on the security side of

their devices.

That said, if

done prudently, best

practices and

processes should be

able to balance the

need for cyber-

creativity within a

rules-based

framework that the

public can trust.

So, no strict

standards, but

This means it needs to work strategically and top-down, starting with assuring that the whole system is

secured. Call it a “systemic strategy.”



57


Threat vs. Opportunity

• If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety

• If understood and secured, IoT will enhance communications, lifestyle, and delivery of services

59

INTERNET OF THINGS & CYBERSECURITY

NAMIBIA METRICS


60

NAMIBIA CYBERSECURITY METRICS


The following general information was noted from the participating

entities.

23 respondents across 6 industrycategories participated Size of respondents’ staff complement

61


78% of entities allocate responsibility for the monitoring

and management of cyber risk at managerial level or

below.

In 76% of all entities, a single person was reported

to be responsible for the monitoring and

management of cyber risk and incidents


IoT security is often beyond the average IT leader’s skill set, as it involves managing physical devices and objects rather than virtual assets

62



70% manage cyber actively, but on 52% include a business continuity plan as part of this management

63



65% of respondents test their business continuity plans;

with 48% testing at least annually, in line with best

practice

By contrast, only 52% of respondents had a

documented and disseminated business continuity

or disaster recovery plan

64



65% of entities feel insufficient skills exist in within

their entity

35% of entities did not conduct user training on

information security at all

65



39% of entities have never performed a vulnerability

assessment penetration testing or software code

review to determine potential exposure

66

67

@onghass6 – TwitterEmail:[email protected]+264 61 309 171+264 811 223 926

cyber security in the era of internet of things · 4. identifying, implementing security controls...

Documents