This famous quote isn’t just applicable to Spiderman, it’s also very applicable to technology. Today, with the Internet of Things (IoT), businesses have the power to develop intelligent, useful products and services. Yet many are so trapped in the web of simply making products, that they are neglecting the protection and privacy side of IoT technologies. By doing so, IoT companies are only one IT security nightmare away from destroying their brand and credibility.
Recently the Global Privacy Enforcement Network released a study about this very topic. Their results were shocking:
- 59% of devices failed to adequately explain to customers, how their personal information was collected, used and disclosed.
- 72% failed to explain how customers could delete their personal information off the device.
- Concerns were also raised around medical devices that send reports back to doctors.
As a consumer, not knowing where my information is dispursed, and not knowing how to take control of my own information is unacceptable. IoT businesses that neglect the importance of security are exposing the customer to various risks and potential data breaches of sensitive personal information. All it will take is a large data breach of an IoT device and the consumer backlash would be enough to destroy that brand. Soon, it won’t just be the threat of consumer backlash that you need to worry about, governments are also imposing costly penalties. As the General Data Protection Regulation (GDPR) approaches, the threat of large economic sanctions to those businesses that are not properly protecting the personal data of European citizens is growing.
As the Internet of (every)thing can be anything, the risk will be different based on the device and the type of data. The big threats aren’t necessarily that your jogging route is leaked online; the real damage will occur when life-saving information is jeopardized. For example, you have a healthcare device that monitors your heart, blood or other vital body elements. This information is shared with your doctor and can affect a dosage of medicine you receive through the device. For these devices to work safely, companies must build a reliable and secure infrastructure around the data. With consumers trusting these devices with their lives, companies carry a massive burden of responsibility to ensure that the data is secure, accurate and out of tampering reach.
The companies in scope for the above-mentioned study may face legal actions from authorities, if it is discovered that they broke data protection laws, such as transmitting personally identifiable information (PII) unencrypted on open non-secure networks.
IoT security can't keep up with demands
In order to minimize IoT security liabilities, new governance procedures will pop up. Maria C. Horton, CEO of EmeSec Incorporated, points out the following, “… The likely outcome of IoT enterprise integration will be the establishment of new information protection practices related to non-centralized computing at the “fog” and “cloud” locations. As a result, there will be a need for creative pre-engineered defenses, liability mitigation awareness and isolation techniques for meeting early-stage IoT business strategies. New aspects of reviewing and continuously improving training and awareness, risk assessments, auditing and accountability, and incident response communications need to become standard contractual requirements for IoT.”
Why are we even facing these problems?
Patrick Foxhoven, CIO & VP of Emerging technologies at Zscaler, correctly points out that “The main problem with IoT devices is that their manufacturers have been slow to implement security. Many devices, like security monitoring cameras, are produced as inexpensively as possible and are accordingly equipped with the most basic software, which often can’t be updated.”
Early versions of the devices are developed with a ‘minimal viable features’ approach, to enter a market quickly and keep costs at a minimum. Once a device starts to sell well, next versions become more feature rich. However, security elements and organizational capabilities to handle the demand may have trouble keeping pace.
Introduce data protection early in the product lifecycle stage
To avoid a serious IoT data breach, it's crucial to have a process in place to help govern the necessary steps of delivering trustworthy products and services to the market. Incorporating a Product Lifecycle Management (PLM) solution is a significant step in the right direction. A PLM strategy will give IoT companies better control throughout all phases of the product lifecycle – from ideation to end-of-life.
In the ideation phase, PLM can help IoT companies place the necessary security measures and data controls in place to proactively address data security issues. As the product is in the development phase, a PLM system allows IoT companies to have more control over their supply chain. This enables them to make quick changes and measure the impact during the development process. Giving companies a more agile approach to product development will increase their time to market and give consumers a product they actually want. Once a product has been launched, a PLM system with release management, will allow IoT companies to push out security updates or other software patches. This could mean the difference in having to remove an IoT device from the store shelves if a vulnerability is discovered or to just release a simple update like we often receive on our smartphones.
IoT devices aren't going away. They will continue to be imbedded in our daily lives. Given all of the positive ways these devices can enrich our lives, it is imperative that companies immediately start addressing the security vulnerabilities if they want to remain in business and build a reputable product and brand.