Welcome to the last (but certainly not least) post of our industrial Internet of Things (IIoT) data problem series! Throughout this journey, we’ve covered a wide range of challenges and topics. Our goal has been to help leaders understand the data problems that industrial businesses face when deploying IIoT networks. We’ve saved cybersecurity for last, as it is perhaps the most prevalent and relevant issue to our clients. A recent Financial Times report found that “cybersecurity and big data” was the #1 priority for business leaders over the next three years.
To help frame the discussion, let's start with a thought exercise:
How many times have you tried to access a system or file on your corporate network, only to be blocked by insufficient permissions with a prompt to "Contact your administrator?"
Do you even know who that is?
Who should you contact?
When you contact them, will they respond?
What do you do? Do you actually track down your admin and get permission? Be honest! The truth is that when this happens, most people just give up. They decide it's not worth it to go down the path of getting access to what they thought they needed. Doing so would take too much time away from other important responsibilities, and so they just move on.
In this common situation, we observe the complicated relationship between securing data against malicious attacks and making it available to our workforce - what we call the Insecure Data problem.
The insecure data problem is tricky. For WellAware, it's not just one of security - it is also one of productivity. It would be very easy to lock down all of our data, but then even our own teams wouldn't have access to it. So when we talk about the insecure data problem - we talk about data policies that don't effectively balance security and accessibility.
Corporate strategies must be flexible enough so that people can do their jobs without exposing the organization to harmful risks. Put simply: security policies should let the good guys in (and let them roam freely), but keep the bad guys out, every time.
Finding the right middle ground is hard. Successful cybersecurity for industrial digital projects means striking the perfect balance between breaking down data silos while also upholding data protection.
Like airport security checkpoints, cybersecurity models have to prevent attacks without hindering economic productivity. | Photo by Eric Prouzet.
What causes insecure data?
Insecure data stems from several root causes, which impact both security and accessibility.
Many times, insecure data and related issues exist in industrial businesses with centralized security policies. In these organizations, individuals typically have to go through an administrator to gain access to certain databases. Before they can grant permissions, administrators have to confirm there is a verifiable need with managers.
While tight administrative control might reduce the broader security risk to the organization, it may also create bottlenecks that discourage employees from following through with their analyses. In other words, they hinder productivity by favoring security over access.
Some industrial companies choose to forego the gatekeeper model at the expense of lowering security standards. However, this leaves opportunities open for data breaches and other malicious cyberattacks. In fact, many data issues come from within, as some disgruntled employees express frustration by tainting the internal databases they worked so hard to maintain. Here, we see how high accessibility can weaken security.
Generally what we see is that smaller companies err on the side of productivity, exposing themselves to malicious attacks, while larger companies err on the side of security, trading productivity for lower risk.
Who is affected by insecure data?
Insecure data creates challenges for everyone. It often takes tremendous effort for organizations to effectively secure data without limiting productivity, and the decisions made on how best to achieve this can impact every person in the organization.
Office-based workers often have to engage with administrators and work around roadblocks when efficient approval pathways don’t exist. Their work is what gets delayed or abandoned in organizations that don’t manage permissions well.
As projects get stalled by data silos or stringent security measures, decision-makers are also impacted. They have to wait longer for analytical outputs and other syntheses that may be important for major decisions.
On a broader level, data breaches affect everyone within an industrial organization in some way. Intrusions by bad actors can be subtle - they may just be unnoticed manipulations of data that lead analysts astray. Or they may be very direct and destructive: serious cybersecurity attacks can include ransomware or breaches which put people and their personal identity in harm’s way.
What do we need to consider?
The right data security solution depends on the unique needs of the business.
One way many are overcoming the insecure data challenge is by distributing permission approvals. Instead of giving one person or one team of people total authority over who can and can’t access data, leaders are enabling security access based on hierarchical relationships. Said differently, they allow permissions to cascade out via direct connections.
For example, if Elle wants to give data access to her direct report, Kathy, under this model, she has the power to do so up to her approved security level. Then, if Kathy wants to give control to her direct report, Carmen, she can also do so easily.
In this case, Carmen doesn’t have to go directly to Elle, who she may or may not interact with on a daily basis. Instead, her direct manager, Kathy, can extend access to her, thereby circumventing a central administrator completely.
This approach to data security is especially effective for IoT companies that have physical assets in highly remote areas with limited bandwidth. By pushing permissions to the edge, industrial businesses give their field operators the ability to configure devices and manage security as needed. Consequently, permission control begins to look like a mesh network in which no one group or person has to worry about who has access to data.
Fast-growing companies with remote workforces might need to shift over to the decentralized security approach as office hierarchies, teams, and analytical needs become more complicated. They can quickly reach the tipping point where it makes sense to move permission approvals out to the edge.
Decentralized security is particularly relevant in the IoT age. The IoT enables businesses to decentralize data collection for the purpose of enhancing productivity. Thus, decentralized security fits well into the IoT movement and helps leaders truly take advantage of remote data collection.
Manufacturers that currently rely on the centralized model also need to carefully evaluate if they have the capabilities to implement decentralized security if necessary. While doing so can drastically improve efficiency, it can also quickly expose the broader organization to risk if not done well. Leaders must take the time to ensure employees are educated and trained on how to distribute permissions appropriately.
What’s at stake for your business?
The insecure data problem is one of the most important for industrial companies to solve. Use the following questions to evaluate your current standing related to data security:
At WellAware, we work closely with industrial companies to help them understand the best cybersecurity approach for their unique operations.
Need help determining the best path for your organization?
