Protecting the connected world: IoT security at a turning point

  • There are already more connected devices in the world than people—by 2025 there will be approximately five times more devices (42 billion) than human beings.
  • A new global report by the World Economic Forum (WEF) and PwC uncovers significant “governance gaps” around the internet of things (IoT)—posing significant risks to people, businesses and societies around the world.
  • The competition for growth and market share in the IoT marketplace will happen on the grounds of privacy, trust, safety and security—the places where risks and opportunities converge.
  • Manufacturers and service providers should get ahead of the trend by “owning” trust, simplicity and security—baking them into their designs from the very start and going to market on that stance.




The IoT continues to reach into and connect ever more nooks and crannies of daily life. A December 2020 report by the WEF, researched in collaboration with PwC, warns that when it comes to governance, that thick web of connections has plenty of gaping holes—and the gap between the IoT’s potential risks and the structures needed to mitigate them is widening.

No surprise there: standards and laws usually lag technological advances. But when a technology is as pervasive, indispensable—and as unstoppable—as IoT, the stakes are so much higher.

In its report, “State of the Connected World: 2020 Edition,” the WEF stresses the responsibility placed on IoT device makers, service providers and industry groups to address these governance gaps. The findings are grounded in both quantitative and qualitative research gleaned from a survey of nearly 375 stakeholders—supplemented with interviews with more than 50 subject matter experts—across a wide array of regions, sectors and employment levels, as well as academia and private citizens.

We build on that central premise here in the risk areas identified as having the highest impact: safety and security, and privacy and trust—issues that cross geographic boundaries and touch consumers, enterprises and governing bodies alike. It’s not an unfamiliar refrain. In our 2019 IoT survey, businesses cited cybersecurity, privacy concerns and an uncertain regulatory environment as the biggest drags on IoT’s potential.

Nevertheless, the WEF report does contain some good news. Both industry groups and governments are actively working to respond to the risks uncovered here—and they’re seeing some real traction.









Aligning safety and innovation: Four guiding principles

Many businesses still operate as though security and privacy were optional. If the surge of cyber attack in 2020 and the growing revulsion around perceived privacy abuses have taught us anything, it’s that privacy and security are a business imperative. Those who want to break away from old habits can do so by strategically building in four basic principles:

1. Security by design

What makes IoT so promising also makes it extremely vulnerable. The IoT is complex and huge with billions of data-collecting endpoints—some with flimsy security—connected wirelessly to the cloud and controlled by sophisticated software programs across multiple jurisdictions. Identifying the root cause of a cyber attack is difficult because of the decentralized and sprawling nature of the networks. Little wonder that bad actors have had a field day exploiting it.

It’s hard to ask consumers to be the first line of defense against IoT cyber threats. Most lack the technical knowledge or patience to carefully assess the security and privacy features of the shiny objects and services they are drawn to—let alone to maintain the security of those connected devices and services. And they could be flying blind. Statutes requiring notification of data breaches generally don’t apply to IoT security issues.

Manufacturers and service providers still operate in a kind of Wild West, navigating a fragmented landscape of laws and standards. There’s no reason to wait. The time to get ahead of the curve—and “own” security by design—is right now. Here are four actions you can take:

  • Make security and safety a competitive advantage for your brand. Embed strong security policies and controls into your products and services from the very start of the development life cycle. Lay out a set of minimum standards—such as encrypted communications, security updates, strong passwords, product vulnerability management and clear privacy practices—and back them up with action.
  • Keep it up to date. Cybersecurity is a process, not a destination. Continuously monitor your products and services—and those of vendors and business partners—for software flaws and emerging risks, as these continue to evolve in unexpected ways. And, since software updates can only be valid for so long, be clear from the start about end-of-life dates.
  • Promptly disclose breaches. Even though statutes on disclosure are inconsistent to nonexistent, the damage that could arise from a breach or a safety incident (especially one that’s undisclosed) is considerable. 
  • Get ready for new guidelines. Prepare for the rollout of new legislation, including the recently enacted IoT Cybersecurity Improvement Act of 2020. Although the new law calls for standards for federally owned or controlled devices that connect to a federal information system, its effects may well ripple through the consumer IoT market.

2. Privacy by design

The sheer scope, volume and intimacy of data being surrendered by humans to devices every day is staggering. Who is collecting, connecting and sharing these oceans of daily data? Who is responsible for safeguarding access to these billions of bits of sensitive information?

Privacy regulations stretch across jurisdictions in a fungible value chain. The task of navigating that patchwork has largely fallen on manufacturers and service providers. Consumers, unfortunately, generally have little transparency, let alone agency, into what happens to their data downstream of its capture. As it is, many struggle with the parameters that are within their reach. According to a recent Consumers International survey, only half are aware of the settings on their devices (smartwatches, smart speakers, smart TVs, etc.) that control data collection.

As evidenced by double-digit growth rates, consumers want IoT devices—but not at the expense of their privacy and safety. Nearly two-thirds of consumers in the same survey said they find the way their connected devices collect data about their personal habits “creepy.”

Clearing the “not-creepy” bar should only be the first step towards a sophisticated privacy policy, but it’s an essential one. Here’s where to start:

  • Use privacy as your calling card. There’s a virtuous cycle in privacy. It’s as much about the consumer experience as it is about privacy itself, so be fully transparent about what data you collect, how you collect it, how you process it and with whom you share it. Help ensure your end users are able to understand, control and consent to the types of data generated and shared throughout your IoT value chain. 
  • Move privacy much further upstream in the design of devices and services, rather than as an afterthought or bolt-on—and conduct a privacy impact assessment to confirm your processes follow the least privacy-impactful routes to deployment. 
  • Shift your data collection mindset from nice-to-know to need-to-know. The customer information you keep can pose a greater risk to your organization than the data you delete. How much do you really need to hold on to? How do you decide? Data-privacy regulations such as the EU’s GDPR and California’s CCPA—and the upcoming California Privacy Rights Act (CPRA)—all point to the need to modernize and tighten your data retention practices.
  • Create “privacy nutrition labels.” Empower consumers to make wise privacy decisions when purchasing IoT hardware or apps with a privacy nutrition label. While there is as yet no standard for such a label, some high-profile companies have already started self-reporting metrics such as “data used to track you,” “data linked to you” and “data not linked to you” in a clear, easy-to-understand format. Take a stand. You will likely be noticed.

3. Simplicity by design

Unlike the internet, which is built on a single set of internet protocol technologies, every IoT environment operates on its own data and platform standards. The added complexity and cost brought about by this lack of interoperability can create all kinds of headaches—from structural inefficiencies and slow implementations to security risks. 

It may be that the technology we rely on has itself become too complex to handle—complexity that, by its very nature, begets risk. 

Highly publicized breaches (home security cameras, smart devices and even “connected cars” come to mind) too easily occur due to excessive complexity, poorly designed user interfaces and a lack of security updates. Even devices whose existing security designs can be revised and updated face security threats if users or companies decide that it’s too complicated, confusing or expensive to continue to update them.

It doesn’t have to be that way. Simplification may be the ultimate “killer app”—and in many respects, getting there can be simple. Simplification enables connections, dialogue and innovation—and solutions that can be understood and trusted by all. Here are three guideposts to follow:

  • Think from the end (user). Simplicity is appealing, functional and powerful. Pivot your product mindset: from the marketing stage to maintenance, focus on minimizing every possible source of user confusion without sacrificing the robustness of security.
  • Make simplicity the product, not the byproduct. Ensure that everything about your device or service—design, user interface, installation and maintenance—is as simple and intuitive as possible. Clear guidance on how to configure devices securely can also reduce your users’ exposure to threats.
  • Terms of use or terms of misuse? Simplicity should extend to messaging. Communicate in plain language the consequences of the choices you are asking consumers to make. This is a perennial sore spot for end users. Keep in mind that simplicity, honesty and trust are bedfellows.

4. Trust by design

When security, privacy and simplicity are baked into your products and services, trust—the key to tapping the full potential of the IoT market—can follow.

Unfortunately, this may be the area in which the governance gap is most gaping. Consumer mistrust is rife: 85% say they wish there were more companies they could trust with their data and information. Concerns about facial recognition systems, smart speakers that listen in unbidden and other elements of “surveillance capitalism” are on the rise. And as the number of IoT devices grows, so will the pressure on people to consent to ever-deeper data collection.

Individuals want more than security. They want agency, and businesses are beginning to pay attention. The opt-out world—with its unpopular practice of automatic, consent-free data collection and the digital aftermarket it feeds—may be starting to sunset.

It’s time to make a U-turn and move from a compliance-focused “don’t do bad things with data” mindset to a human-focused “do good things with data” mindset. Here are some practices that trust pioneers are adopting:

  • Embrace opt-in, not opt-out. Apple’s new iOS14.5 operating system is just the latest evidence of a sea change in privacy protections and transparency, making opt-in the default choice and tilting the balance of power toward favoring consumers.
  • Get ahead of the pro-privacy regulatory trend. A growing number of marquee US companies are extending data-privacy protections required by California, the EU and other regions to all their customers, regardless of residency. There’s every expectation that this trend will continue to spread, both among jurisdictions and companies.
  • Align trust with your core environmental, social and governance (ESG) principles. In our 24th Global CEO Survey, US chief executives cite cybersecurity and data privacy—both pillars of public trust—as the second-most important impact area they should measure, behind only innovation.
  • eWaste not. Doing good with data also applies to devices and their disposal. eWaste is the fastest-growing waste stream in the world. Join with the WEF, the UN and other supranational organizations working to make IoT devices more sustainable through design-for-life principles, including a “circular economy” for device lifespans.

Contact us

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Rob Mesirow

Rob Mesirow

PwC Connected Solutions Leader, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Jane Allen

Jane Allen

Principal, West region, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide