Infrastructure systems such as heating ventilation and air conditioning (HVAC) systems are costly to secure from cyber-attacks. It is even more costly to leave them unsecure as Target experienced through a debilitating hack in 2013. The Department of Defense (DoD) is experiencing a possible $250 million remediation of cyber-exposed systems to avoid a Target scenario, first reported by Scott Maucione from Federal News Radio. The updating of vulnerable systems is targeted at military facilities and the DoD’s buildings. This overextension by the DoD is a lesson for companies big or small that decide risk assessment can be put off for tomorrow.
The cost of remediation only increases as more 3rd party systems are placed, and the organization loses track of them. The international banking system is realizing this all too viscerally as millions of dollars are vanishing from cyberattacks. The systems used to route money from bank to bank are increasingly coming under attack since midlevel banks don’t have the resources to assess everything in their digital ecosystem. Unfortunately, in this world where the Internet of Things (IoT) is becoming more prevalent attackers only need to find one weak 3rd party to infiltrate entire networks, even those responsible for international banking and the DoD.
Vulnerability from the IoT is a direct result of not conducting risk assessment to all 3rd party vendors. Neglecting the mundane aspect of cybersecurity exposes multiple vectors for attackers to take advantage. Exposing and neglecting IoT devices over time increases the risk these devices will be forgotten. Unfortunately, this makes future risk assessments harder since there is no way of knowing what devices demand appropriate attention.
Attention is indubiously expensive. Attention within the cybersecurity field typically manifests costs in assessment and remediation. Both aspects expend resources, manpower, and time. Instead of a company's IT team getting ahead and making infrastructure an asset it now must assess all 3rd party vendors and remediate the devices if necessary. The DoD is a prime example of an organization falling behind because it neglected the absolute necessity of securing IoT devices.
All-together, the DoD learned the hard way about securing risk assessment before integration and securing a safe and secure supply chain. Now, the backtracking begins and instead of resources funneled for progressing the agenda of the DoD and Pentagon there will be an expensive introspective look at their vulnerabilities for the foreseeable future. The parallel for private companies that neglect diligent risk assessment is true as well. Functioning as a legitimate organization that can operate safely with no loose ends for attackers to target is essential. Neglecting to do so is a liability to consumers, the organization , and any other organization interacting with it.