Over the past several years, the Internet of Things (IoT) has integrated technologies and machines into everyday humanity in unobtrusive ways. Businesses are controlling the performance and energy consumption of everything from streetlamps to appliances in their customers’ homes. Offices are running on the 24×7 automation of simple tasks, data collection, and monitoring. Even digital assistants are increasing employee and customer engagement while streamlining communications and information gathering.
This intelligent network has become so pervasive that, according to the SAP study, “4 Ways Leaders Set Themselves Apart,” 76% of businesses that are fully committed to their digital transformation invest heavily in the IoT. And perhaps more shocking is the finding that 52% of companies are using this technology even though they are not as focused on their digital strategies.
Adoption rates are expected to rise as tens of billions of connected devices around the world are used as standard tools for managing many daily tasks. However, this growth in connection points gives malicious hackers more opportunity to enter into digital ecosystems, access customer information, or control back-end systems.
Is it possible to benefit from IoT innovations fully and keep processes, data, and operations safe?
A call for balance between the potential and security of IoT ecosystems
Now that the relative novelty and hype of the IoT are quickly becoming mainstream realities, attention to cybersecurity issues are beginning to take shape. For example, California recently became the first state with a cybersecurity law that covers the operation of smart devices. Starting on January 1, 2020, all devices that connect directly or indirectly to the Internet are required to contain “reasonable” security features that prevent unauthorized access, modification, or information disclosure.
Although many celebrated California’s bill as a good first step towards IoT security, the state has been criticized for not going far enough. Some cybersecurity experts point out that the legislation leaves out critical provisions for defining bad passwords that render devices vulnerable to attacks and mandating their removal.
Despite the criticism, the California legislature is still steps ahead of many governments when it comes to device security. In fact, three IoT-related U.S. Congressional bills have been introduced in the last two years – the IoT Cybersecurity Improvement Act of 2017, IoT Consumer TIPS Act of 2017, and Internet of Medical Things Resilience Partnership Act of 2017. Yet, Congress, so far, has failed to vote on any. Meanwhile, the European Union is hoping that the limitations on personal data, as instructed in the General Data Protection Regulation (GDPR), will help ease the risk of security breaches.
Nevertheless, as industry experts in cybersecurity and technology issues know, it’s always best to self-regulate and implement strong protocols and procedures as soon as possible. When poorly secured IoT devices are connected to an IT storage infrastructure, data can be exposed, manipulated, stolen, and misused at any time – leading to significant brand damage and crippling legal and liability issues.
Must-have best practices for overcoming IoT security challenges
Although the issue of IoT security may seem insurmountable for a single business, it is possible to conquer. In his blog, “5 Ways to Overcome IoT Security Challenges,” Jay Thoden van Velzen, director of IoT Security, offers salient advice for securing IoT privacy and data security for every business:
- Manage operational risk: Assess the risk of an attack and its impact on the IoT ecosystem to determine how tight security should be. For example, a system that monitors, regulates, and automates machines on a plant floor requires stricter protocols than a sensor that turns lights on and off a conference room.
- Limit device-to-device communication: Remember this simple truth: the more devices that are “talking” to each other, the greater the opportunity to disrupt a connection point and break into the IoT network. Most devices have a single purpose – to send data to a single collection point. By judiciously choosing which devices engage in two-way exchanges, the business restricts the damage of a breach, should one occur, to a limited area of a much larger ecosystem.
- Control the IoT infrastructure: Select devices that have the security features you need, or, are open enough to analyze how they work and add features to close security gaps. In some cases, IoT devices can be upgraded automatically across a secure connection or allow the business to control the timing, frequency, and delivery of the updates.
- Use encryption from end-to-end: Encrypt communication between devices and data-consumption points as a barrier against unauthorized listening, tampering, spoofing, manipulating, and recovering of sensitive data. This process should also be inextricably linked to device identity to ensure the data originates from the assigned device.
- Seek out and consider the latest expertise: Apply proven security technologies, tools, and best practices into your IoT system as well as your entire IT landscape. In many cases, these techniques can be implemented directly with, for example, digital certificates. It is also possible to restrict methodologies based on the function and communication flow of devices or add mechanisms for protection and monitoring. And in some situations, such as the presence of microcontrollers and low-power networks, new approaches can be created by drawing on existing principles and concepts.
A time for industries to act as advocates of IoT reason
Innovating IoT applications and devices is increasingly becoming a huge responsibility. But it’s also an exciting phase when businesses are well-positioned to help improve people’s lives.
For this reason, it is critical for industry experts to take the lead in creating standards for IoT security. Doing so allows businesses to build public confidence in the security of their data and demonstrate the vast potential of connected intelligence. More importantly, they can play a large part in setting up the standards and protocols that can help political leaders take privacy, safety, and data protection more seriously.
For more insight on security, see How Big Data Helps Avoid Cybersecurity Threats.