The Internet of Things or the Internet of Risk? That Depends…

Look around you. At quick glance, you might see a smart thermostat, smart phone, video doorbell or fitness tracker. These things tie you directly, whether knowingly or unknowingly, to the Internet of Things (IoT). But you’re not alone – Cisco estimates there will be an astounding 500 billion devices connected to the IoT within the next decade.

That makes sense, considering the IoT has been around since the 1980s and we’ve been using one of the first IoT prototypes for generations now – ATMs. But while the IoT has been ingrained in the financial industry for many years, it’s evolving and becoming an even more prominent part of the member experience. Think chatbots, digital and mobile banking and even voice banking through smart speakers (because when your phone or tablet is all the way across the room, Alexa has your back, right?).

The question is, if IoT has been in use for so many years and we’re already starting to move toward more financial solutions that utilize IoT, what’s the catch? Risk, of course. Yes, the dirty, rotten scoundrel that is risk permeates nearly everything, but especially cyberspaces that credit unions use to offer solutions to members and perform daily operations.

If we look at stats about the security aspect of IoT, it’s clear that risk is a big part of the picture. According to anti-virus and computer security provider, Kaspersky, IoT cyberattacks jumped from 639 million in the entirety of 2020 to 1.5 billion in just the first six months of 2021. Furthermore, Gartner, a technological research and consultation firm, portends that more than 25 percent of all cyberattacks businesses face will likely involve IoT. How’s that for perspective?

It’s eye-opening for sure. But perhaps the more pressing questions in the world of IoT are these: what are the potential risks and what can your credit union do about them?

Well, let’s get a little analytical here for a minute. The risks to IoT are many of the same things you will see for any cybersecurity infrastructure: poor password protection, lack of data encryption and authentication practices, inadequate device monitoring and software/hardware patches and updates that are not performed regularly, among other things.

Just because we tend to be familiar with these risks, though, doesn’t make them easy to overcome. They can be the difference between the Internet of Things and the Internet of Risk for your credit union. But setting up the proper cybersecurity policies and channels, as well as remaining diligent about new and escalating risks, will determine your path. Here are a few of my suggestions for addressing risks as credit unions become more and more involved in IoT.

Prioritize IoT skills. Whether it means hiring folks who already have IoT skills or training your current teams to learn them, make this high priority at your credit union. If there’s any possible way for your credit union to keep up in the rapidly expanding realm of IoT (remember, we’re looking at a potential 500 billion devices using the IoT in the next several years), you need to start upskilling, as it’s called, your IT team now. Encourage them to get all the education they can, even if that means providing incentives and recruiting experts to help you set up a training program. This isn’t a wish list item – it’s a necessity.

Perform risk assessments and testing on all of your IoT offerings. This seems pretty obvious, but it never hurts to stress the importance of risk assessments and testing. If you haven’t yet implemented chatbots, for example, and you’re looking to do so, identify and address the risks to that technology sooner rather than later. Do you have the proper encryption in place so that hackers can’t take over your bots? Have you applied multifactor authentication for those who have access? If you utilize a vendor for chatbot services, are you sure that their networks are secure? These things and more are all considerations when performing your assessments and testing. Once you know the answers, you can make adjustments as needed to better protect against risk.

Also keep in mind that risk assessments and testing are most useful at the beginning of the research phase for a new service or solution. Going in blindly when implementing a new IoT technology isn’t just ill advised, it’s downright dangerous. It could be the cause for costly redirections later on, or even a breach – neither of which we want to see happen.

Secure your interfaces. In order to access the IoT, there needs to be a connecting interface. This might be an app, webpage, etc. Whatever the case may be, the interface needs to be secure so that devices are properly authenticated, users are authorized and data transfers are being performed by trusted digital certificates. Otherwise, you’ll have insecure interfaces, which are just gateways to problems such as data loss and illicit access for hackers who have less than honorable intentions.

What these things boil down to is this – the IoT is great for credit union expansion in cyberspace, but it comes with its security challenges, and that’s to be expected. If you plan to venture into the IoT in the future (or even now), go in with a bottom-up approach. Start with a solid foundation of cybersecurity and build from there. This strategy, along with the considerations we’ve already covered, will allow you to be more confident that your institution is, in fact, taking the route to the Internet of Things and not the Internet of Risk.


Mike Bechtel is an information security analyst for Vizo Financial. As such, he provides incident response planning services, information security risk assessments, security awareness training and information security-related consulting services to credit unions.