IoT, also commonly referred to as connected devices and smart devices, has brought previously unthinkable benefits to our lives and many of the products we use on a daily basis. But it also delivers significant risks — particularly when it comes to cybersecurity and the device operating as originally intended.
Regardless of whether an organization manufactures consumer electronics — such as hair curlers and clothing dryers — or products for a business-to-business market, they should start with the big picture when it comes to IoT implementation: just because you can, should you?
Instead of just trying to keep up with the latest and greatest in technology and product development, manufacturers should not lose focus on the key purpose of their product or system. They should only consider making a smart device if it provides clear benefits to their core customer base. For instance, is there truly a benefit in hair straighteners being connected to the internet? Is the consumer’s life going to be richer if their refrigerator egg tray can tell them there is only one egg left? For the latter, there is a strong argument to be made for convenience and being able to shop more effectively and efficiently. The key is to know when the benefits outweigh the potential risks.
If a company decides to make a product a connected device, it needs to create it with the duty of care to customers that ensures the connected products are secure and remain fit for its intended purpose.
All IoT devices and systems are open to external threats, including those that do not directly have a safety or security function. Devices you may never have regarded as likely targets for cybercriminals, such as TVs, can be hit by potentially paralyzing hacks and computer viruses. In many cases these connected devices can open access to home owners’ networks and data contained therein.
To underscore this, in a 2018 report titled “Secure by Design,” the U.K. government emphasized that “cyber criminals could exploit vulnerabilities in IoT devices and associated services to access, damage and destroy data and hardware or cause physical, or other types of harm. Where these vulnerabilities can be exploited at scale, impact could be felt by multiple victims across geographic boundaries.”
An example of a connected device that has the potential to enhance the user’s experience and provide the type of convenience that seems to epitomize the IoT are smart locks. Smart locks are often connected to smart speakers and apps on smart-phones; while they add a tremendous amount of convenience and control, they also are at risk of cyberattack. What if they were hacked? As technology gets smarter, so do criminals. This is a simple example based on a residential application; the implications are amplified exponentially when applied to a commercial setting.
There are also risks associated with something as seemingly benign as a smart refrigerator; imagine if someone decided to adjust the temperature of your refrigerator, all the refrigerators in the neighborhood or at a grocery store or at a distribution center?
Minimal human intervention, maximum catastrophic impact
Research group Gartner estimates that there are already 8.4 billion Internet-connected devices in use worldwide, generating revenue of $2 trillion, and that by 2020 there could be 20 billion such devices worldwide. A study of 400 small businesses in the U.S. that use connected devices found 48 percent had already experienced at least one IoT breach. Additionally, the research showed that among companies with annual revenue of less than $5 million, the costs of IoT hacks equaled 13.4%of revenue. For larger organizations, these unwelcome costs ran to tens of millions of dollars.
For devices and systems that communicate with each other and learn and act with minimum human intervention, the impact of breaches can be crippling, resulting in maximum catastrophic impact.
IoT adoption continues to explode and could be even more transformative if not for widespread concerns about the security of enabled products and systems. One way for companies to assess whether their products should be connected would be to start with sales and marketing business units and not the technical teams. Sales and marketing teams have the best pulse on the customer, market and industry and can help clearly identify what value your IoT products bring to customers through this technology. Then turn it over to the technical team to consider how best to implement it, rather than the other way around.
It takes more than a secure password and encryption to make a secure IoT system. A range of basic issues must be addressed. IoT devices need to be tested against an internationally-recognized set of protocols and the product’s intended use should also be verified. It does no good for a lock, for example, to be connected to the internet if it doesn’t work for its intended purpose. Verifying both the fit for purpose and the security of device connectivity will help build trust in the device and you as its manufacturer.
Among concerns your business may face as a manufacturer or retailer of IoT devices is a rising lack of consumer trust in the whole system. More and more, consumers report worries about both security and the performance of IoT-enabled devices and systems, a trend that could lead to stalling sales and a downturn in mass adoption. To recognize this threat, it’s vital that security be implemented in the connected device’s design stage, rather than considered as an afterthought.
Avoid serious negative repercussions
Serious negative repercussions — such as legal action and fines, declining sales and profits or a damaged business reputation — may result from a failure by manufacturers to address IoT security challenges. At times, IoT manufacturers may be tempted to put form over function in their rush to bring a connected product to market. Without a thoughtful product development roadmap in place, a newly IoT enabled device may inadvertently leave your product no longer suited for its intended purpose and vulnerable to hacking, creating security and service concerns, and opening the door to organizational risk.
It’s clear IoT has the potential to undermine companies and their reputation, but when carefully considered, it can also be part of the solution, acting as a huge enabler in the key business resilience areas of information, operations and supply chain. Once you determine that IoT does add value and that it’s secure for your customers, seeking assurance can help businesses mitigate risks and safely accelerate time to market in highly competitive industries.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.