Customers and companies have been quick to embrace the benefits of connected devices, and the Internet of Things is a more significant part of our lives than ever before. Connected devices can offer tremendous value by transmitting data continuously, allowing for unparalleled control and analysis. The problem is that this data transmission needs to be handled correctly at all points — locally, to the cloud, and in the cloud. But it’s time to truly consider the privacy implication of IoT.
Many products rely on Bluetooth for connectivity, which has known security flaws. While many platforms use more secure protocols like Z-Wave for encryption, they might still rely on poorly designed hubs to save costs. For example, researchers recently uncovered vulnerabilities in a Zipato smart home hub that allowed hackers to open a smart lock with just a few lines of code.
Even when devices themselves are secure, many platform providers rely on residents’ Wi-Fi to communicate.
The Wi-Fi provided by residents is likely not secure, as it requires residents to use a security protocol such as WPA2 and constantly update their firmware and passwords. Most residents don’t worry about this much less take care of their security.
Wi-Fi originally was designed for speed rather than security; while it can be made secure, it requires a dedicated team to set up and manage a secure network.
Cellular data is a more secure transmission choice, and it can be beefed up with encryption and private lines. If Wi-Fi is the only option because of a high-bandwidth use case such as video, transmitting data on a virtual private network, or VPN, over Wi-Fi adds a layer of security.
Once data is in the cloud, it needs to be protected from misuse by external parties.
Some online platforms, such as Amazon and Google, will mine and sell data for advertising and purchases. You — and your customers — should understand these monetization policies.
Do you follow the ever-changing laws for I0T devices?
Data usage also needs to follow the ever-changing laws for IoT devices, such as the recent California Consumer Privacy Act. Follow the adage of “trust but verify.” In other words, make sure any platform providers you work with can provide SOC 2 Type II certification.
Losing control of data in any one of these areas has consequences for you and your customers, but countless companies still don’t fully consider privacy and security concerns when purchasing IoT devices.
Coping With the Consequences
Nothing is entirely secure, but many businesses make the mistake of assuming that precautions are too difficult or expensive to implement.
While the security process can be challenging for small or midsized firms, the added security is always worth the effort.
The most common consequence of a failure to put the proper IoT security in place is stolen customer data.
When businesses don’t take the proper security precautions, they put their customers’ data at risk — and the recovery and lost revenue can cost a fortune.
Look at the 2018 hack of Marriott, for example, which exposed the information of 500 million customers — including names, phone numbers, birthdates, and passport numbers.
Breaches like Marriott can lead to fines from regulatory bodies, expenses for identity protection services for customers, and hefty litigation fees. Don’t forget about lost business due to a lack of customer trust.
In tandem, these repercussions can lead to massive costs to your business. According to a 2018 study by IBM and the Ponemon Institute, the average cost of a breach was $148 per compromised record.
Consequences for consumers.
In some cases, security vulnerabilities can have more immediate consequences for consumers. In addition to the breach of smart locks mentioned above, hackers can take over IoT devices purely to harass residents of smart homes.
A couple in Wisconsin, for example, had hackers blare vulgar music over their audio system and turn their thermostat as high as it would go.
In another instance, a couple in South Carolina noticed the lens of their Wi-Fi enabled baby monitor was moving on its own. These invasions of privacy are scary and can quickly turn places of safety into places of fear.
Is your IoT security being breached — and you don’t know yet?
An IoT security breach has too many consequences to name, but all of them can be avoided. To minimize the odds of privacy breaches — properly harness your IoT devices.
Follow these strategies for better IoT safety.
1. Understand your firm’s risk tolerance.
What is risk? According to the International Organization for Standardization, it’s the “effect of uncertainty on objectives.” There will always be a risk because there will always be uncertainty, especially with technology. But it’s something that should be minimized within the parameters defined by your organization.
To minimize risks appropriately, you must first identify them.
If a few hours of system downtime would put your organization under, for instance, you’ll want to invest in a complete backup of both data and operational software.
If you could go several days using manual processes with minimal loss, on the other hand, a data backup once a week should be sufficient. Your risk tolerance is unique to your organization and must be assessed on a case-by-case basis.
2. Ask partners about data security practices.
Once you’ve resolved your organization’s vulnerabilities, you must also address the security risks that accompany business partnerships. Target, for instance, received a lot of bad press in the aftermath of a breach that cost the company $148 million.
Few customers realized — or cared — that the attackers exploited a vulnerability in the security of Target’s HVAC vendor.
To prevent the same thing from happening to your organization, ask partners if they use security practices such as data encryption and two-factor authentication.
While you’re at it, inquire about their data privacy practices. Do they sell data? Are they compliant with data privacy laws? Do they have SOC 2 Type II compliance?
If their answers don’t meet your expectations, you might want to consider finding a new partner or putting a cybersecurity standards clause in any contracts that are up for renewal.
3. Identify internal champions and KPIs.
Find internal stakeholders who will champion the proper use of IoT devices while assessing and holding external parties accountable. They should also assess internal policies and procedures, ensuring that safeguards are in place to keep your organization’s data secure.
Your organization should also have key performance indicators, or KPIs, focused specifically on cybersecurity. These can include the average time it takes IT to detect security problems and the average time it takes to resolve those problems.
No matter what you choose, make sure your KPIs are accurate, easily understood, and relatively simple to calculate.
The IoT is powering a new wave of innovation for both business and consumer applications.
These devices include security risks that are only now being addressed. If your organization leans heavily on the IoT, make sure you’re actively managing vulnerabilities.
By fortifying your security defenses, you can enjoy the benefits of IoT without putting your company or customers at risk.