From the article by Trautman et al., the increasing rate in which technology is changing due to the rapid growth in computer processing speeds is transforming the lives of billions of people (2). However, with the increased growth rates, data breaches increase concurrently, posing a challenge to technological users. The motive of this article was thus, a discussion on the problem that users face while governing AI, machine learning, and the respective impacts on sensory devices connected to the internet. The authors point out that addressing this challenge and achieving a further understanding of exposure to malware related to IoT will be adding a body of knowledge on governing enterprise risk as it should be a given priority by the society.
First, the authors begin by defining the Internet of Things (IoT), where they consider it the vast network of sensory devices connected to the internet and consequently connected to each other. The article cites the definition by Daniel Cox, who stated that IoT is connecting billions of new devices to the internet (7). The potential of IoT is evident from the explosive growth of sensory devices both at home and at work. The devices that are connected can reach higher scales of efficiency due to the improved functionalities, data storage, technological capabilities such as remote access and data analysis, among others. The research by the National Institutes of Standards and Technology that is incorporated into the article specifically on understanding the IoT concept stated that each sector does have its IoT devices which they could utilize to improve their functionalities.
However, IoT does increase the potential of an attack from cyber actors who are against the networks and information. The more the IoT sensors are in distinct environments. The higher the number of challenges one will have to deal with. Some of the difficulties pointed out include maintenance, monitoring, access to communication protocols, and the procedure to be followed in the sharing of information (12). Notably, these challenges are constant operations meaning that no one solution will fix everything. It needs to become the norm to ensure that the network is secure.
In understanding IoT specifically in the perspective of business value, Trautman et al., highlights the views of Bruce Sinclair. According to Sinclair, he likens IoT to plumbing. The latter operation is a means to an end, which can be like taking data from one particular place to another (14). Therefore, to him, IoT is not a networking stack because this view does not isolate and point out its value correctly in terms of the exact point it is created. According to Trautman et al., understanding IoT in the corporate governance aspect is through its connection with its duty of care. Generally, corporate governance has two primary duties to its shareholders, namely the duty of loyalty and care. Since corporate governance is increasingly facing the challenge of constant cyberattacks, aligning their operations, especially in terms of security measures with their duty of care, will guide them in ensuring that the customers’ data is protected. Organizations need to intentionally understand their IoT devices, their usage, and future potential usage, their characteristics, the security risks attached to operating them, and thus coming up with the right measures in mitigating the risks (15). Trautman et al. also indicates that the duty to provide data security is embodied in the corporate governance’s duty of care (17).
Notably, the article does point out a number of issues to be considered when thinking of protecting the corporate systems. The first is that the leadership of the organization needs to communicate and act as per achieving good cyber hygiene. To this effect, they will work to provide enough resources to make real progress when it comes to cyber threats. When it comes to the committee selected in governing the risks associated with governing data and information systems, it is prudent that the members have the skills and experience in the field (Trautman et al. 19). According to Trautman et al., this could be a challenge since many directors generally lack the necessary background on computer knowledge. This should not deter the corporates from having the right members in its committees even if it requires further financial resources. The article points out the importance of the audit and risk committees corporate boards. These committees are solely focussed on ensuring a robust defense against any forms of cyber attacks, hence, very crucial for the boards (Trautman et al. 19).
According to Trautman et al., to understand the potential IoT threats, one should imagine just when they leave their “smart” devices unsecure (19). The extent or number of risks for lacking a security measure is profound, and so should the actions be taken to prevent and mitigate them. The research article analyzes different corporations specifically Target (2013); Yahoo (2013); Equifax (2017); Office of Personnel Management (June 2015); Marriott (January 2019); and Capital One Financial Corp. (July 2019) to look into the cyberattacks they dealt with in the respective years (24). Nonetheless, the research would focus on Mirai Botnet, which was a strain of malware that affected IoT devices and routers in homes. The malware affected over 600000 IoT devices (31). The malware was different because of its Generic Routing Encapsulation (GRE) based attacks, the different attack levels in the traffic, and its telnet scanning. Above all, this malware is stated that it would not exist if stakeholders protected their IoT devices.
During the times of crisis, the corporates should understand that the IoT vulnerabilities are the potential points of the attacks, these vulnerabilities could be the weaknesses in the system or its design, or rather the flaws in the system’s hardware or software or the policies, procedures or general misuse of the systems (35). Furthermore, during the IoT crisis, the corporates need to understand that the vulnerability increases, which is imminent in the system’s interoperability and interconnectivity.
Notably, the authors indicate that there have been some recent developments when it comes to data security of IoT. For instance, NIST continues to provide contemporary research publications and interfaces that the key stakeholders could use in boosting their security resources and the whole industry. For example, its publication of the Privacy Framework released in 2020 comes as a complementary to NIST’s Cybersecurity Framework (Trautman et al. 44). Utilizing these frameworks in addressing IoT issues are guidelines for implementing data security measures. For instance, the Privacy Framework is a voluntary tool that organizations can use in managing risks associated with the privacy of both goods and services. It, additionally, includes the regulations that need to be complied with when undertaking the operations. For instance, the improved Californian law that was implemented in 2020, where manufacturers of the devices are required to incorporate reasonable security features on IoT devices (46). The burden has hence been placed on manufacturers, and as the consumers, they need to ensure that they use devices with the features.
According to Trautman et al., there are some recommendations that they could bring into their operations, which have been well outlined in The Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (46). The article highlighted some of the recommendations which are achievable by focussing on particular goals. For instance, the first goal of identification of a clear pathway to achieve a versatile sustainable and safe technology place will require a set of five actions (Trautman et al. 47). The activities range from the utilization of industry-led processes to the collaboration of key players. It is recommended that the corporate considers all the goals and their actions to achieve better measures.
Generally, it is essential that the more extensive and expansive IoT could get, the more the data breaches, which can become very costly. These unintended consequences that arise as users try governing the AI process, machine learning and the impacts on the various sensory devices will remain a challenge (51). Therefore, according to Trautman et al., an understanding of the whole system is prudent so that one could be ready for these unintentional consequences. For corporate governance, the duty of care and loyalty to the shareholders will guide all the measures they take to protect their data. Additionally, there have been constant developments such as frameworks and regulations that should guide the corporate managers in achieving data protection.
Additionally, there needs to be an understanding that this work is not solely for the IT department. It starts with the top leadership in providing adequate resources and creating a culture that is focussed on data protection. It is vital for users also to be educated on these issues so they could play their roles accordingly.
Trautman, Lawrence J., et al. “Governance of the Internet of Things (IoT).” arXiv preprint arXiv:2004.03765 (2020).