While the Canadian government is signaling its intention to legislate on cyber security (see Bill C-26 which aims to implement an act to protect critical cyber systems), some companies have already taken serious steps to secure their infrastructure. theirs. computers. However, the Internet of Things is too often neglected during these steps.
However, some devices are directly connected to the most important IT infrastructures for companies. Examples are industrial robots, devices that control production equipment in factories or those that help workers on the road make their deliveries. Operating systems and various applications are installed on these devices. The very operation of many businesses and the security of some personal information depends on the security of these devices and their software. For example:
- An attack can target factory production equipment control systems and result in company production disruptions and significant re-commissioning costs and production delays;
- By targeting production equipment and industrial robots, an attacker can steal plans and production parameters of various processes, which can compromise a company’s industrial secrets;
- Barcode scanners used to send packages can be infected and transmit information, including personal information, to hackers
The Open Web Application Security Project (OWASP), a non-profit organization, has published a list of the top ten security risks for the Internet of Things. Managers of companies using such devices should be aware of these issues and take measures to mitigate these risks. We dare to comment on some of these risks, the mitigation of which requires appropriate policies and sound governance within the company:
- Weak or unchangeable passwords: Some devices are sold with known or weak initial passwords. It is important to ensure that, once installed, these passwords are changed and then strictly controlled. Only designated IT personnel should know the passwords to configure these devices. In addition, it is necessary to avoid acquiring devices that do not allow password management (for example, whose password is immutable).
- Lack of updates: The Internet of Things often relies on computers whose operating systems are not updated during their lifetime. As a result, some devices are vulnerable because they use operating systems and software with known vulnerabilities. In this regard, sound governance makes it possible, on the one hand, to ensure that such devices are updated and, on the other hand, to purchase only devices that allow such regular updates to be carried out easily.
- Poor management of the fleet of connected devices: Some companies do not have a clear view of the Internet of Things deployed within their company. It is imperative to have an inventory of these devices, their role within the company, the type of information on them and the essential parameters for their security.
- Lack of physical security: As much as possible, access to these devices should be secure. All too often, devices are left unattended in places where they are accessible to the public. Clear directives should be given to employees so that they adopt safe practices, especially with regard to equipment intended for deployment on the road.
of Board of Directors of a company plays a key role when it comes to cyber security. Indeed, the failure of directors to ensure that an adequate control system is in place and to monitor risks may involve their liability. In this context, here are some elements that companies should consider to ensure sound governance:
- Review the composition of the Board of Directors and review the skills matrix to ensure the team has the required skills;
- Provide training to all members of the board of directors to develop cyber vigilance and give them tools to fulfill their duty as directors; AND
- Assess the risks associated with cyber security, especially those arising from connected devices, and put in place tools to mitigate those risks.
Bill 25, the law on the modernization of the legislative provisions regarding the protection of personal information, provides for certain obligations for the board of administration, especially that of appointing a person in charge of the protection of personal information and that of having a management plan. a log of privacy incidents. For this, we invite you to consult the following newsletter: Changes to Privacy Laws: What Businesses Need to Know (lavery.ca)
Finally, a company must at all times ensure that identifiers, passwords and authorizations with suppliers that allow IT personnel to intervene are not in the hands of a single person or a single supplier. This would put the company in a vulnerable position if the relationship with this person or supplier were to deteriorate.
Eric Lavallee is a partner, trademark agent and attorney at Lavery;
Serena Lu is a Partner, Lawyer at Lavery.