The IoT continues to reach into and connect ever more nooks and crannies of daily life. A December 2020 report by the WEF, researched in collaboration with PwC, warns that when it comes to governance, that thick web of connections has plenty of gaping holes—and the gap between the IoT’s potential risks and the structures needed to mitigate them is widening.
No surprise there: standards and laws usually lag technological advances. But when a technology is as pervasive, indispensable—and as unstoppable—as IoT, the stakes are so much higher.
In its report, “State of the Connected World: 2020 Edition,” the WEF stresses the responsibility placed on IoT device makers, service providers and industry groups to address these governance gaps. The findings are grounded in both quantitative and qualitative research gleaned from a survey of nearly 375 stakeholders—supplemented with interviews with more than 50 subject matter experts—across a wide array of regions, sectors and employment levels, as well as academia and private citizens.
We build on that central premise here in the risk areas identified as having the highest impact: safety and security, and privacy and trust—issues that cross geographic boundaries and touch consumers, enterprises and governing bodies alike. It’s not an unfamiliar refrain. In our 2019 IoT survey, businesses cited cybersecurity, privacy concerns and an uncertain regulatory environment as the biggest drags on IoT’s potential.
Nevertheless, the WEF report does contain some good news. Both industry groups and governments are actively working to respond to the risks uncovered here—and they’re seeing some real traction.
Many businesses still operate as though security and privacy were optional. If the surge of cyber attack in 2020 and the growing revulsion around perceived privacy abuses have taught us anything, it’s that privacy and security are a business imperative. Those who want to break away from old habits can do so by strategically building in four basic principles:
What makes IoT so promising also makes it extremely vulnerable. The IoT is complex and huge with billions of data-collecting endpoints—some with flimsy security—connected wirelessly to the cloud and controlled by sophisticated software programs across multiple jurisdictions. Identifying the root cause of a cyber attack is difficult because of the decentralized and sprawling nature of the networks. Little wonder that bad actors have had a field day exploiting it.
It’s hard to ask consumers to be the first line of defense against IoT cyber threats. Most lack the technical knowledge or patience to carefully assess the security and privacy features of the shiny objects and services they are drawn to—let alone to maintain the security of those connected devices and services. And they could be flying blind. Statutes requiring notification of data breaches generally don’t apply to IoT security issues.
Manufacturers and service providers still operate in a kind of Wild West, navigating a fragmented landscape of laws and standards. There’s no reason to wait. The time to get ahead of the curve—and “own” security by design—is right now. Here are four actions you can take:
The sheer scope, volume and intimacy of data being surrendered by humans to devices every day is staggering. Who is collecting, connecting and sharing these oceans of daily data? Who is responsible for safeguarding access to these billions of bits of sensitive information?
Privacy regulations stretch across jurisdictions in a fungible value chain. The task of navigating that patchwork has largely fallen on manufacturers and service providers. Consumers, unfortunately, generally have little transparency, let alone agency, into what happens to their data downstream of its capture. As it is, many struggle with the parameters that are within their reach. According to a recent Consumers International survey, only half are aware of the settings on their devices (smartwatches, smart speakers, smart TVs, etc.) that control data collection.
As evidenced by double-digit growth rates, consumers want IoT devices—but not at the expense of their privacy and safety. Nearly two-thirds of consumers in the same survey said they find the way their connected devices collect data about their personal habits “creepy.”
Unlike the internet, which is built on a single set of internet protocol technologies, every IoT environment operates on its own data and platform standards. The added complexity and cost brought about by this lack of interoperability can create all kinds of headaches—from structural inefficiencies and slow implementations to security risks.
It may be that the technology we rely on has itself become too complex to handle—complexity that, by its very nature, begets risk.
Highly publicized breaches (home security cameras, smart devices and even “connected cars” come to mind) too easily occur due to excessive complexity, poorly designed user interfaces and a lack of security updates. Even devices whose existing security designs can be revised and updated face security threats if users or companies decide that it’s too complicated, confusing or expensive to continue to update them.
It doesn’t have to be that way. Simplification may be the ultimate “killer app”—and in many respects, getting there can be simple. Simplification enables connections, dialogue and innovation—and solutions that can be understood and trusted by all. Here are three guideposts to follow:
When security, privacy and simplicity are baked into your products and services, trust—the key to tapping the full potential of the IoT market—can follow.
Unfortunately, this may be the area in which the governance gap is most gaping. Consumer mistrust is rife: 85% say they wish there were more companies they could trust with their data and information. Concerns about facial recognition systems, smart speakers that listen in unbidden and other elements of “surveillance capitalism” are on the rise. And as the number of IoT devices grows, so will the pressure on people to consent to ever-deeper data collection.
Individuals want more than security. They want agency, and businesses are beginning to pay attention. The opt-out world—with its unpopular practice of automatic, consent-free data collection and the digital aftermarket it feeds—may be starting to sunset.
It’s time to make a U-turn and move from a compliance-focused “don’t do bad things with data” mindset to a human-focused “do good things with data” mindset. Here are some practices that trust pioneers are adopting:
Cyber & Privacy Innovation Institute Leader, PwC US
PwC Connected Solutions Leader, PwC US
Principal, West region, PwC US