According to reports from analyst firm Gartner, more than eight billion devices were connected to the Internet in 2017. Not surprisingly, these linked devices, called the Internet of Things (IoT), are generating data in volumes unseen before. 

However, the influx of IoT and its data has created security and privacy risks that need to be better understood.

IoT transformation

The government defines IoT technology as a set of IP addressable devices that interact with the physical environment. “The first part of this definition captures what I think is transformative about IoT,” said David Doss, Senior Engineering Technical Director with the National Security Agency (NSA). “We are linking IP communications with the physical world, that cyber-physical connection. That’s the transformation of what IoT provides.”

The IoT ecosystem is made up of sensors and processes that allow the devices to communicate with each other, but this communication also generates a tremendous amount of data. At NSA, they see IoT not so much as a singular technology but a tipping point and culmination of previous generations of technology. 

The automotive industry is a prime example of how IoT is changing the marketplace. New automotive offerings have a proliferation of sensors. A car will automatically avoid an obstacle in the road with no human intervention. Someday, that same car will be able to link with a wireless router to send information about the driving experience to third parties.

“It opens up all new possibilities,” said Doss. “Now, if we connect this data, there are all kinds of implications concerning privacy and policies.”

“If we connect this data, there are all kinds of implications concerning privacy and policies.”

Bringing IoT into business 

Because of lower costs, higher powered micro-electronics, increased storage capabilities and analytic offerings, IoT is finding a place in small companies. 

It’s easy to see how IoT devices can add value to business. Smart leaders leverage IoT to expand the potential of their business model, rather than force IoT into the business setting just because it’s something new and cool. Working with an IoT vendor who understands the organization’s mission and will ensure the right device match.  

Security best practices

In turn, the vendor should be able to discuss security of the devices, including where the data is stored and whether or not data is encrypted within the cloud infrastructure. 

“Unfortunately, security is an afterthought,” said Doss. “The utility, the functionality, the efficiency and the effectiveness of the new technology tends to outpace the security concerns.” If a vendor can’t answer security questions or address them in a meaningful way, Doss advised looking for an IoT vendor who can meet security challenges.

Overall, the onus of IoT security should fall on the manufacturers. The time has come to bake security into the IoT development process, from the hardware to the software codes, recognizing who will be using the device and how it will be used. Encryption is another challenge that needs to be included into best security practices. Many low-powered devices may not have the storage space to accommodate encryption, but as these devices transmit sensitive data, it creates privacy risks. Finally, IoT systems aren’t replaced often, and they need the ability to be patched and updated easily and regularly.

There are operational risks, as well. “In high security spaces, how do we assure we don’t have things trying to talk to our network that could be used as attack vectors?” Doss asked. “You might have a device you know is WiFi-enabled but you didn’t know it was Bluetooth-enabled.”  

The commitment to security must match the commitment to innovation, Doss added. To enable IoT and IT to their full potentials, security has to play a bigger role.