It happens innocently enough: someone obtains and installs a reasonable Internet-enabled capability, and BANG! You’re open for business that’s not of your choosing.
Maybe it’s a shared corporate meeting calendar, or a construction pipe-weld inspection robot, or a security camera at a remote power plant. But whatever it is – be it a cloud-based offering or an Internet “thing” – it has to be remembered that if you can monitor or control it from wherever you are, so can the bad guys.
This may sound obvious once it’s stated aloud, but you’d be amazed by how often I hear the stories of how some executive subscribed to a cloud service or installed a connected device, and was shocked and surprised when a vulnerability arose and a reprimand followed.
The problem is that it’s ridiculously easy to acquire such capabilities – point, click, “agree,” and you’re done! And to be fair, if governance isn’t your bag, why would you think twice about it?
The lesson is that it’s up to us to spread the word that seemingly-harmless tools and technologies can create significant potential risks – and that their procurement and installation must be managed as carefully as the services and devices themselves. Otherwise, the threat can quickly outweigh the benefit.