The purpose of this paper is to help readers understand the various attributes of Internet of Things (IoT) devices and the use cases that are important to consider in any enterprise risk-categorization exercise. It is not intended to be prescriptive but, rather, instructive for those seeking a better understanding of the IoT and its associated risks. Introduction In nearly every industry, the IoT is poised to radically change the way companies produce, and people consume, products and services. Like the Internet and the PC before it, the IoT promises to greatly improve the way we work and play. IoT devices, combined with global broadband communications networks and big data analytics, promise to reduce resource utilization and improve supply chain efficiency while simultaneously improving the quality of the goods sold and services provided. Already, the IoT is beginning to upend the business and operating models of mature industries like manufacturing and agriculture.
Given the breadth of potential applications (many as yet unknown) and device types—from simple sensors that passively monitor an environment to complex networked systems such as autonomous cars traversing the world’s highways—the IoT is poised to bring new order and predictability to an often-chaotic world. However, as the IoT enables new ways to bridge the digital and physical worlds, the cybersecurity risk landscape is also expanding. Cyber risk is no longer confined to enterprise data or systems, where organizations have traditionally focused their cybersecurity investments; hackers are also targeting devices outside traditional perimeters.