Has your IS and Physical Security plans considered the risks from Drones?
Commercial use of drones is becoming more popular where they can be useful for surveying or imaging hard to reach areas. As with any new technology the use of drones for criminal purposes is also becoming more prevalent. There have been the obvious reports of drugs and mobile phones being smuggled over prison walls, but where are the risks for businesses from this new area of criminal activity. In this article we consider some of the key risks and how to respond.
If your business uses drones to store data including customer data such as names, addresses etc. then consider the risk of data theft if the drone were to be stolen or the data being transmitted across insecure wifi networks were to be intercepted. The types of data stored on the machines therefore needs to be assessed for sensitive data you need to adopt the same level of security as for other mobile devices.
Even some images may be commercially sensitive and therefore require protection from loss. Also consider how unhappy your customers might be if images of their homes or offices fell in to the wrong hands? Data Protection is definitely an issue to consider particularly if images are likely to capture images beyond the immediate physical boundaries of your organisation or client.
Also consider if those images could be used by criminals to plan physical attacks on the property, or be useful to them in planning a burglary?
As well as considering what commercially sensitive information is stored on your own drones, consider how criminals could use their own drones to fly over sensitive buildings/land.
As well as more extreme issues such as drones being used to drop explosives, such drone use could also include taking aerial photos of hidden/secret locations or items or if fitted with microphones could eavesdrop on conversations. It may also be possible for drones, fitted with the right technology, to intercept wireless communications on unsecured wifi networks including wireless keyboards, making drone keyloggers a possibility.
There are also other physical threats from the drones, for example crowd safety issues if a drone was to be flown at high speed in to a crowd of people to cause injury.
So how do you prepare for these eventualities?
- Be aware of the risks for your organisation by considering such scenarios in your risk assessments; particularly if your business is part of the supply chain for critical infrastructure such as: power plants; oil and gas supply, water treatment works; transportation; hospitals; food production or distribution; housing; schools/colleges; local authorities, or security.
- Raise awareness of the risks among colleagues in high risk areas including security, facilities, event management, and departments operating drones.
- Review data security/encryption on drones and other hardware used with them e.g. USB sticks/SD cards.
- Make it physically difficult to fly a drone over sensitive areas or have detection methods such as frequency or acoustic monitoring equipment installed in those areas. There are new and emerging technologies in this field however the smaller, lighter nature of non-military drones makes for harder detection. There are also legal considerations in terms of disabling drones mid-air.
- Raise awareness with senior execs to avoid them having confidential conversations in open areas where drones could eavesdrop.
- Undertake penetration and vulnerability testing for new drone purchases.
- A clear response plan so that staff know how to react legally and timely if they suspect a drone attack and who to contact. This should also include an assessment of how any evidence will be preserved in any investigation.
- Asset logs including serial numbers, data inventory etc so that action to mitigate any loss of a drone can be taken quickly.
We are currently not aware of any cyber or privacy security standards or frameworks relating to non-military drone useage. If anyone knows differently please let us know. While there are some Civil Aviation Authority laws which places restrictions on commercial flying of drones it is unlikely that criminals will worry too much about those!
The emerging risks from drone technology are set to grow as more and more businesses identify legitimate reasons to use drones such as farming remote stock, surveying inaccessible land and buildings, and security systems; and as criminals conversely identify new ways of utilising them for criminal purposes.
In the meantime be aware and keep abreast of developments in this area, raise awareness with colleagues and include these scenarios in your risk assessments and business continuity plans.