Editor's note: The following is a transcript of Lazarikos' Q&A portion of his webcast presentation on IoT cybersecurity. It has been edited for clarity and length.
Do you think simple tactics such as changing passwords regularly and having two-factor authentication will still be relevant when it comes to IoT cybersecurity?
Demetrios Lazarikos: With any one of these organizations that have had a breach or a compromise, I think regularly changing passwords is something that is going to be critical. Two-factor authentication will evolve out of that. I believe two-factor authentication will be relevant. With IoT it becomes a little tricky, and what I mean by that is if you look at the different verticals, how do you setup two-factor authentication on a medical device? If my job is a physician or a doctor and I'm working in the ER or the OR -- at what point do I have to use two-factor? Is it for every time I have to dispense medication? Maybe if it's painkillers or prescription drugs? Does two-factor enable me or prohibit me from accessing those types of systems and using that type of technology? I think it's going to depend on the vertical and also the business driver for each vertical. I can see two-factor being used in automobiles and homes and manufacturing and different types of technologies. But I really think it's going to be on the business and what they want to do, and how that's going to impact the consumer. My experience has always been that there's a fine line between consumer experience and the business. Introducing two-factor, I believe, can be done and performed successfully. It's just educating the end user [about] why it should be done.
Human error is still a big cybersecurity risk, we hear reports all the time about it. Are social engineering attacks as much of a concern with IoT, or will automated controls take the human element out of the equation?
Lazarikos: I believe that there are a couple things to consider on this: Automated controls are nice; but, well, why are they nice? They streamline everything: You have the reduction of time, you have the ability to make decisions faster and do some interesting things. You're always going to have that human risk. I think it's going to be really, really challenging because you're still going to have your social engineering attacks, I just think they become different. It could be an email or it could be some type of advertisement and if you click through it, things go bad. What I can see happening with IoT, again by different verticals, is you're driving your car and all of a sudden an advertisement pops up or if you have your email tied to your car, you click through it and oh, is it a phishing attempt? And now it's taking over your ECU on the automobile, or the user experience there. That's really going to be interesting to see what types of social engineering attacks will be developed on different IoT systems to take advantage of the user that is trying to click through or have a great experience using one of these devices.
You mentioned the data analytic value of IoT. How do you think real-time analytics will have to evolve in order to protect and manage data moving through new technology like IoT that generates unprecedented amounts of information?
Lazarikos: We've been discussing data analytics as practitioners for years. I believe that there are a couple things that are coming up out of it. One is that the business wants to use this data over the next X number of years and the business drivers are pretty powerful. I want to have a great user experience; I want to know who my customer is when they come to a website or when they come into a bricks and mortar store, when they go to a branch office of a bank, when they go to a branch office in physical terms. I want to know who that individual is when they come in. I want to streamline that process and make sure they have a great experience.
With all those data elements, I want you to consider this: Every one of those touch-points with IoT is going to be connected and collected. So, I drive my automobile, that data is being collected. I drive from point A to B. I walk in and I do X -- maybe it's pay a bill, or I pay online and I'm driving my car now and I listen to my music, I'm doing six or seven things with an interconnected car. If you think about those ecosystems that we talked about with the integrated product systems, the challenge that I'm faced with then is those analytics are being used for me and the service and the function that's occurring right there. But when you think about protecting that data think about what is that application going to do with that data and then also, how long you want to retain that data.
Again, thinking about security and compliance, we have to embrace data analytics. We have to use machine learning and business intelligence and security intelligence, whether it's from the threat community or my monitoring and alerting platform. I have to be able to sift through massive amounts of data in real time and figure out if this Laz driving from point A to point B while doing these other functions. I think it will be critical to have an analytics strategy moving forward using real-time analytics so you can protect a lot of these components and systems as they're communicating to and from all these devices.