Six things you need to know about IoT security

It’s simple: IoT makes our lives easier. Security flaws do not

Security, trust and data integrity
The emergence of IoT is altering our personal technology security paradigm and is a game-changer in customer/business interaction, in part due to the wide scope of available data and sheer number of devices collecting this data. McKinsey & Company estimates the IoT ecosystem will generate $6 trillion in value by 2025. Successful IoT offerings rely on the perception of benefit they can deliver to businesses and consumers while creating a proportionate foundation of security, trust, and data integrity. There are important ways that IoT technology can reduce data security risk while improving customer experience in a connected world.

It’s in every company’s best interest to “do” IoT correctly, which will mean ratcheting up security measures to capture and ensure a good customer experience. Jack Nichols, director of product management at Genesys, provides six ways to do that.

Justify the business expense of “embedding” security

As with all technology, IoT security considerations should be embedded in every phase of development, from inception to deployment. Some organizations have a hard time justifying the added time and expense that accompany new security initiatives or adherence to continuous best-practice implementation. Everyone wants the wondrous new capabilities, but many balk at the price tag and operational complexity that goes with it. Security becomes an afterthought that is addressed at the end of the process, if at all. Those same organizations should be aware that there are now numerous legal implications surrounding how an organization handles its IoT security. Much more importantly, “customer experience” is the reigning business differentiator, with loyal customers spending 300 percent more money with a trusted business than with others.

Test, test, and re-test

A recent survey discovered that 80 percent of IoT applications aren’t tested for security vulnerabilities. That represents a staggering number of endpoints that leave themselves available for compromise. As you’re developing your IoT applications and services, you need to conduct continuous internal and third party vulnerability analysis and penetration testing. Keep in mind that it’s better to fold security into the product development cycle, rather than bolting it on after the fact. If you rush to market with an IoT system that isn’t safe, then you’re risking everything in invaluable consumer trust.

Proactively manage IoT security operations remotely

As it stands, a large number of IoT product makers and app developers rely on the end user to install updates and configure security settings, which is ill-advised. Ideally, companies should be able to remotely push security patches and updates as soon as they’re available to prevent vulnerabilities. According to the most recent version of the IoT Trust Framework, such updates must either be signed and/or otherwise verified as coming from a trusted source. Updates and patches should not modify user-configured preferences, security, and/or privacy settings without user notification. Automated (as opposed to automatic) updates increase customer trust because you do the heavy lifting, while still providing users with the ability to approve, authorize or reject changes.

Encryption is your friend

Beefing up encryption is also advised in the new IoT Trust Framework. Show your customers you care about their privacy by ensuring that any support websites used in your IoT service fully encrypt user sessions, from the device to the backend. “Current best practices include HTTPS or HTTP Strict Transport Security (HSTS) by default, also known as AOSSL or Always On SSL.” Furthermore, “Devices should include mechanisms to reliably authenticate their backend services and supporting applications.”

Transparency matters

The FTC fined Visio for collecting and selling its smart TV owner data. As outlined in a recent IEEE IoT newsletter, good transparency principles aren’t exclusive to IoT, but require understanding that privacy threats in an IoT system are unique and require transparent disclosure related to three inputs:

• Personal data collected or generated.
• Data actions performed on that information.
• The context surrounding the collection, generation, processing, disclosure and retention of this personal data.

This isn’t just a question of a company doing right by its consumer base. For example, General Data Protection Regulation (GDPR) in Europe seeks verifiable consumer agreement to how each of these three inputs are managed via notice and consent. In general, it’s best to state your data collection practices, as well as privacy, security and support policies, in an easily discoverable location on your company website, which can be reviewed prior to purchase or service opt-in. Further, disclose what and how features will fail to function if users decline to consent.

Embrace edge analytics and minimize the amount of sensitive data in transit

A natural byproduct of connecting everything is the creation of a surplus in valuable customer data, which can be both amazing and dangerous. In addition to safeguarding data warehouses, there is the added issue of securing massive amounts of data as it moves. With IoT applications, as information is relayed from IoT endpoints to the cloud for computation and analysis, there’s always a risk of exposure and threat of interception. But the current trend toward moving some computation to IoT endpoints and transmitting only prescribed information reduces the amount of potentially sensitive raw data in transit. While the arguments for edge computing generally center around increasing real-time functionality and the savings associated with machine learning and AI, mitigating customer data exposure is an added benefit.