ISACA 2014 IT RISK/REWARD BAROMETER 1

RISKS AND REWARDS OF CONNECTED DEVICES ISACA 2014 IT RISK / REWARD BAROMETER REPORT

Staff

The Internet of Things is about more than just connected devices—it’s about the vast integrated systems that these billions of devices comprise. More and more products, companies and networks are collecting and sharing data from individuals and enterprises than ever before, in the name of greater personalization, ease, insights and operational efficiency. But as several recent high-profile data breaches have shown, this ecosystem is far from impenetrable. In the wake of these large-scale attacks on consumers and corporate data, ISACA’s 2014 IT Risk/Reward Barometer explores the mindsets and behaviors of both consumers and IT/business professionals, looking specifically at their awareness, concerns and reactions to issues related to connected devices. ISACA also looks at the business and IT implications for enterprises, whose duty to safeguard the data they collect is now under even more intense scrutiny.

The global market for connected devices—including home appliances, personal electronics, clothing, and other accessories that can interact with the Internet or other devices—is set to exceed US $7 trillion by 2020.1 The total number of mobile connections is expected to rise from 7.4 billion in 2014 to 10 billion in 2020.2 The proliferation of mobile phones and tablets, the growth of cloud storage, and a heightened focus on big data have nurtured the evolution of the “Internet of Things” in a big way.

There are many potential benefits to having more seamlessly connected devices: personalized consumer experiences, drawing data from various sources to form a more complete picture of a user’s preferences and needs; added convenience, with devices speaking directly to each other without the need for a human mediator; as well as opportunities for collaboration among different software and device-makers. And as ISACA discussed in last year’s report, enterprises also have the potential to reap numerous rewards from the Internet of Things: greater efficiency, lower costs, improved services, more accurate supply chain management, greater accessibility to information, increased employee productivity and increased customer satisfaction.

THE LANDSCAPE TODAYTHE TOTAL NUMBER OF MOBILE CONNECTIONS IS EXPECTED TO RISE TO

IN 2020.10 BILLION

1 “WORLDWIDE AND REGIONAL INTERNET OF THINGS 2014-2020 FORECAST,” INTERNATIONAL DATA CORPORATION (IDC), 20142 “IOT DEVICE CONNECTION EFFICIENCY GUIDELINES,” GSMA, 2014`

ISACA 2014 IT RISK/REWARD BAROMETER 2

Recently, one specific subset of connected devices has been receiving increased attention: wearables. Consumer tech companies are introducing increasingly accessible and appealing wearable devices, hoping to spur wider adoption among the masses. These products do not stand alone, either. Connected devices prove their usefulness by functioning within ecosystems: a health/fitness band that can communicate with your smartphone, which can adjust the temperature in your home, which can speak to your smart fridge, which can show notifications on your connected TV.

These are impressive advancements, but there are numerous potential risks associated with this high degree of connectivity. The more that devices share and store personal information, the more entry points there are for information to be compromised. In the past year alone, data breaches at major organizations such as Target, eBay, Japan Airlines, more than 30 banks in Brazil and even the Australian Department of Immigration and Border Protection have brought the vulnerability of consumer data directly into the public eye, at least temporarily. The fallout of these breaches affects not only the consumers whose data are at risk, but the enterprises entrusted with protecting those data.

THE MORE THAT DEVICES SHARE AND STORE PERSONAL INFORMATION, THE MORE ENTRY POINTS THERE ARE FOR INFORMATION TO BE COMPROMISED.

Along with the benefits and hazards of this complex technological landscape comes the need to balance them out safely and responsibly. This is a significant challenge for enterprise management, along with IT departments and cybersecurity specialists, who are tasked with many of the decisions that affect the integrity of company, customer and employee information—including the devices consumers, as employees, bring into the workplace.

The IT Risk/Reward Barometer examines attitudes and behaviors related to the risks and rewards of key technology trends, such as the Internet of Things (including wearable devices) and bring your own device (BYOD). Given the high-profile data breaches among enterprises, the 2014 IT Risk/Reward Barometer also included this topic as a key focus area. The 2014 Barometer consists of two components: a survey of ISACA members (1,646 respondents from 110 countries) and a survey of consumers (more than 4,000 respondents in four countries: Australia, India, the United Kingdom and the United States).

DATA PRIVACY AND SECURITY A GROWING FOCUS

ISACA 2014 IT RISK/REWARD BAROMETER 3

THESE CONSUMERS ARE ALSO EMPLOYEES, AND ARE LIKELY TO BRING THIS SAME GAP BETWEEN PRIVACY RISK BELIEF AND ACTION INTO THE WORKPLACE.

In light of the millions of consumer credit cards, email addresses and other bits of private information that were compromised recently, ISACA explored consumer attitudes around these data breaches and found a significant disconnect between knowledge and behaviors. Nearly all respondents have heard about prominent breaches (US: 94%, UK: 90%, India: 87%, Australia, 84%), and the majority said these data breaches increased their concern about the privacy of their personal data (US: 75%, UK: 63%, Australia, 61%, India: 45%).

However, few have changed key actions in their wake. For example, in the U.S. less than half of respondents say they changed PINs and/or passwords, and only about a quarter say they shopped less frequently at the retailers that experienced a breach. Nearly a third did not change their shopping behavior at all.

This disparity could reflect some hesitation about how consumers think about and manage their privacy and uncertainty about whose responsibility it is to keep consumer information safe. These consumers are also employees, and are likely to bring this same gap between knowledge and action into the workplace. This underscores the importance of business and IT professionals proactively managing and educating employees about privacy and security.

Consumers are beginning to integrate more connected devices into their lives. According to the survey, more than a quarter of all respondents own either a smart TV (India: 49%, Australia: 38%, UK: 37%, US: 29%) or a connected car (Australia: 41%, India: 33%, US: 23%, UK: 23%), for example, and more than half of consumer wish lists for the coming year include connected devices.

Ownership of wearable devices, such as smart glasses or smart watches, is still new, with most respondents across countries reporting that they do not own or use such products. But if consumers have it their way, expect that to change: roughly one in five in several countries say they would like to get a smart watch in the next year (Australia: 18%, UK: 17%, US: 14%). The growing focus of major players such as Apple, LG and Samsung on the wearables market may have contributed to this shift, luring consumers previously unconvinced of the necessity or practicality of smart watches and other wearable devices.

Consumers aren’t just envisioning such products at home, either, with the vast majority of those who are employed saying they would consider using wearable connected devices in their current workplace.

Three steps all shoppers should take, whether or not their data has been compromised by a breach, are:1. Protect personal information by creating a strong password unique to each account. 2. Protect devices with current security software.3. Verify that online transactions are secure by looking for a padlock icon displayed in the browser.

WHAT CONSUMERS THINKDATA BREACHES TOP OF MIND, BUT FEW CONSUMERS DOING ANYTHING DIFFERENTLY IN RESPONSE

ADVANCE OF CONNECTED DEVICES AND WEARABLES

ISACA 2014 IT RISK/REWARD BAROMETER 4

But these desires are coupled with a sense of apprehension. As consumers carry around and use more devices that contain their personal information, the need for security increases, and their mindset reflects this. Approximately nine in ten consumers across countries have concerns about the information that is delivered to connected devices—the greatest being the fear that someone will hack into the device and do something malicious, followed by not knowing about how their information will be used.

In describing their approach to protecting their data on connected devices, more than half of connected device owners consider themselves to be a “Take Charge” crowd, saying that they proactively manage the privacy settings on their devices (US: 61%, UK: 59%, Australia: 57%, India: 46%). But that leaves a substantial number who described themselves as either reactive or passive, managing their privacy settings only in response to a major privacy issue or not managing them at all.

These findings echo those in the data breach section of the survey: despite serious, justified concerns about the safety of their personal information, large blocks of consumers did not make any changes to their behavior post-breach. As consumers begin taking these devices into the workplace, these results suggest that much of the privacy and security burden will need to be borne by enterprise teams, which will need to aggressively educate employees about how they can help reduce risk to better leverage the many benefits of the devices. This “embrace and educate” approach is one way to attain the benefits and efficiencies of the Internet of Things in a responsible manner.

GREATEST FEAR IS BEING HACKED

TOP 4 CONSUMER CONCERNS ABOUT INFORMATION DELIVERED VIA THE INTERNET OF THINGS

28%

40%

35%

30%

25%

20%

15%

10%

5%

0%

26%

16% 15%

25%

20%15% 16%

31%

22% 19%

12%

38%

22%

11% 12%

SOMEONE WILL HACK INTO THE DEVICE AND DO SOMETHING MALICIOUS.

YOU DON’T KNOW HOW THE INFORMATION COLLECTED BY THESE DEVICE(S) WILL BE USED.

YOUR PERSONAL INFORMATION WILL BE SOLD TO OTHER COMPANIES/ORGANIZATIONS.

COMPANIES/ORGANIZATIONS WILL BE ABLE TO TRACK YOUR LIFE (E.G., ACTIONS AND WHEREABOUTS).

AUSTRALIA INDIA UNITED KINGDOM UNITED STATES

ISACA 2014 IT RISK/REWARD BAROMETER 5

A related survey of global ISACA members who are business and IT professionals in 110 countries reveals that, while many organizations plan to leverage the Internet of Things (28% already have plans in place, and another 15% expect to create plans within the next 12 months), a number of concerns remain, with security threats and data privacy topping their list of challenges.

In fact, most do not believe that the data collected on many connected devices (e.g., smart TV, smart meters, connected cars) are private. When asked for their opinion on recent headlines that have declared “privacy is dead,” 69% of respondents said they were very concerned about the decreasing level of personal privacy.

The only device considered secure—meaning it protects user data and was not at risk of being stolen or misused by a hacker — by a notable proportion of members/professionals surveyed, and only by a very narrow margin, was an employee ID card with a sensor (Secure: 42%, Not Secure: 39%, Unsure: 19%).

Despite recognizing the benefits of the Internet of Things and connected devices, more than a third of members/IT professionals surveyed (35%) feel that the risks outweigh the benefits as it relates to enterprises.

Consumer interest in wearable devices will create complications in the workplace, with most ISACA members/IT professionals saying that BYOD (bring your own device) policies are not ready for wearable tech, and that BYOW (bring your own wearable) is as risky as BYOD. While they acknowledge that such devices have the potential to add value, they are worried about how to manage and govern them effectively.

Speaking to their own levels of preparation, more than half (56%) of respondents say their BYOD policy does not address wearable tech, and another 23% do not even have a BYOD policy.

Despite their concerns at the organizational level, however, nearly half of ISACA members feel that the benefit of the Internet of Things still outweighs the risk as it relates to individuals (46%).

WHAT IT PROFESSIONALS THINKSECURITY IS #1 INTERNET OF THINGS CHALLENGE

BYOW: NOT READY FOR WEARABLES AT WORK

69%ARE VERY CONCERNED ABOUT THE DECREASING LEVEL OF PERSONAL PRIVACY

ISACA 2014 IT RISK/REWARD BAROMETER 6

Nearly all people and organizations around the world are now connected via the expanse and reach of the Internet of Things. While this brings many efficiencies—to the point of people wondering how they performed their jobs or maintained friendships prior to Internet access—the fact is that data breaches will not only continue, but will most likely intensify.

Devices with “always on” network connectivity are enabling new types of attacks that have not been seen in the past. A major ramification is a changed risk/value equation, which means that previous risk decisions may need to be revisited. It is also imperative that everyone who has any form of connection (be it customer, vendor, service provider, staff member or investor) has a critical role in helping information stay secure and private. The time to implement holistic risk management is now. Before we know it, these devices will become so prevalent and the capabilities so commonplace that they no longer are described as “smart.” The IoT will soon be BAU.

For full survey results, including related infographics, visit www.isaca.org/risk-reward-barometer. Cybersecurity Nexus (CSX): www.isaca.org/cyberCOBIT framework for governance and management of information IT: www.isaca.org/cobitISACA Knowledge Center: www.isaca.org/knowledge-center

The annual IT Risk/Reward Barometer is a global indicator of trust in information. Conducted by ISACA, a global association of more than 115,000 IT security, assurance, risk and governance professionals, the Barometer polls thousands of business and IT professionals and consumers worldwide to uncover attitudes and behaviors about essential technologies and information, and the trade-offs people make to balance risk and reward. The study is based on September 2014 online polling of 1,646 ISACA members from 110 countries.

Additional online surveys were fielded by M/A/R/C Research among 1,209 consumers in the US, 1,001 consumers in the UK, 1,007 consumers in India and 1,007 consumers in Australia. The US survey ran 8-11 September 2014, and the UK, India and Australia surveys ran 8-17 September 2014. At a 95 percent confidence level, the margin of error for each individual country sample is: US: +/- 2.8 percent and UK/India/Australia: +/- 3.1%. To see the full results, visit www.isaca.org/risk-reward-barometer.

With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, including the Cybersecurity Fundamentals Certificate. It also offers COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.

Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ Contact: news@isaca.org

IMPLICATIONS FOR BUSINESS AND IT

RELATED RESOURCES

ABOUT THE 2014 IT RISK/REWARD BAROMETER

ABOUT ISACA

THE IOT WILL SOON BE BAU.