Skip to content Skip to footer

Protecting the connected world: IoT security at a turning point

Example pattern for mobile
Example pattern for desktop


  • There are already more connected devices in the world than people.
  • A new report by the World Economic Forum and PwC finds significant “governance gaps” around the Internet of Things.
  • Competition in the IoT marketplace will happen on the grounds of privacy, trust, safety and security.
  • Manufacturers and service providers should bake trust, simplicity and security into their designs from the start.

The Internet of Things (IoT) continues to reach into and connect ever more nooks and crannies of daily life. A report by the World Economic Forum (WEF), researched in collaboration with PwC, warns that when it comes to governance, that thick web of connections has plenty of gaping holes — and the gap between IoT’s potential risks and the structures needed to mitigate them is widening.

No surprise there: Standards and laws usually lag behind technological advances. But when a technology is as pervasive, indispensable — and unstoppable — as IoT, the stakes are so much higher.

In its report, State of the Connected World: 2020 Edition, the WEF stresses the responsibility placed on IoT device makers, service providers and industry groups to address these governance gaps. The findings are grounded in both quantitative and qualitative research gleaned from a survey of nearly 375 stakeholders — supplemented with interviews with more than 50 IoT experts — across a wide array of regions, sectors and employment levels, as well as academia and private citizens.

We build on that central premise here in the risk areas identified as having the highest impact: safety and security, and privacy and trust — issues that cross geographic boundaries and touch consumers, enterprises and governing bodies alike. It’s not an unfamiliar refrain. In our 2019 IoT survey, businesses cited concerns about cybersecurity and privacy concerns and an uncertain regulatory environment as the biggest drags on IoT’s potential.

The WEF report does contain some good news. Both industry groups and governments are actively working to respond to the risks uncovered here — and they’re seeing some real traction.

Where IoT poses the greatest risks and where governance is most needed
Chart: Where IoT poses the greatest risks and where governance is most needed
Chart: Where IoT poses the greatest risks and where governance is most needed

Aligning safety and innovation: Four guiding principles

Many businesses still operate as if security and privacy were optional. But they aren’t, as the  surge of cyberattacks in 2020 and the growing revulsion around perceived privacy abuses have taught us. For those who want to break away from old habits, how should they proceed? The key is to build in four basic principles, by design.

1. Security by design

What makes IoT so promising also makes it extremely vulnerable. IoT is complex and huge with billions of data-collecting endpoints — some with flimsy security — connected wirelessly to the cloud and controlled by sophisticated software programs across multiple jurisdictions. Identifying the root cause of a cyber attack is difficult because of the decentralized and sprawling nature of the networks. Little wonder that bad actors have had a field day exploiting it.

It’s hard to ask consumers to be the first line of defense against IoT cyber threats. Most lack the technical knowledge or patience to carefully assess the security and privacy features of the shiny objects and services they are drawn to — let alone to maintain the security of those connected devices and services. And they could be flying blind. Statutes requiring notification of data breaches generally don’t apply to IoT security issues.

Manufacturers and service providers still operate in a kind of Wild West, navigating a fragmented landscape of laws and standards. There’s no reason to wait. The time to get ahead of the curve — and “own” security by design — is right now. Here are four actions you can take:

  • Make security and safety a competitive advantage for your brand. Embed strong security policies and controls into your products and services from the very start of the development life cycle. Lay out a set of minimum standards — such as encrypted communications, security updates, strong passwords, product vulnerability management and clear privacy practices — and back them up with action.
  • Keep it up to date. Cybersecurity is a process, not a destination. Continuously monitor your products and services — and those of vendors and business partners — for software flaws and emerging risks, as these evolve in unexpected ways. And, since software updates can be valid only for so long, be clear from the start about end-of-life dates.
  • Promptly disclose breaches. Even though statutes on disclosure are inconsistent to nonexistent, the damage that could arise from a breach or a safety incident (especially one that’s undisclosed) is considerable. 

Get ready for new guidelines. Prepare for the rollout of new legislation, including the recently enacted IoT Cybersecurity Improvement Act of 2020. Although the new law calls for standards for federally owned or controlled devices that connect to a federal information system, its effects may well ripple through the consumer IoT market.

2. Privacy by design

The sheer scope, volume and intimacy of data being surrendered by humans to devices every day is staggering. Who is collecting, connecting and sharing these oceans of daily data? Who is responsible for safeguarding access to these billions of bits of sensitive information?

Privacy regulations stretch across jurisdictions in a fungible value chain. The task of navigating that patchwork has largely fallen on manufacturers and service providers. Consumers, unfortunately, generally have little transparency, let alone agency, into what happens to their data downstream of its capture. As it is, many struggle with the parameters that are within their reach. According to a recent Consumers International survey, only half are aware of the settings on their devices (smartwatches, smart speakers, smart TVs, etc.) that control data collection.

As evidenced by double-digit growth rates, consumers want IoT devices — but not at the expense of their privacy and safety. Nearly two-thirds of consumers in the same survey said they find the way their connected devices collect data about their personal habits “creepy.”

Clearing the “not-creepy” bar should be only the first step, but it’s an essential one. Here’s where to start:

  • Use privacy as your calling card. There’s a virtuous cycle in privacy. It’s as much about the consumer experience as it is about privacy itself, so be fully transparent about what data you collect, how you collect it, how you process it, and with whom you share it. Help ensure that your end users are able to understand, control and consent to the types of data generated and shared throughout your IoT value chain. 
  • Move privacy much farther upstream in the design of devices and services, rather than as an afterthought or bolt-on — and conduct a privacy impact assessment to confirm that your processes follow the least privacy-impactful routes to deployment. 
  • Shift your data collection mindset from nice-to-know to need-to-know. The customer information you keep can pose a greater risk to your organization than the data you delete. How much do you really need to hold on to? How do you decide? Data privacy regulations such as the European Union’s GDPR and California’s CCPA — and the upcoming California Privacy Rights Act (CPRA) — all point to the need to modernize and tighten your data retention practices.
  • Create “privacy nutrition labels.” Empower consumers to make wise privacy decisions when purchasing IoT hardware or apps with a privacy nutrition label. While there is no standard yet for such a label, some high-profile companies have already started self-reporting metrics such as “data used to track you,” “data linked to you” and “data not linked to you” in a clear, easy-to-understand format. Take a stand. You will likely be noticed.

3. Simplicity by design

Unlike the internet, which is built on a single set of internet protocol technologies, every IoT environment operates on its own data and platform standards. The added complexity and cost brought about by this lack of interoperability can create all kinds of headaches — from structural inefficiencies and slow implementations to security risks. 

It may be that the technology we rely on has itself become too complex to handle — complexity that, by its very nature, begets risk. 

Highly publicized breaches (home security cameras, “smart” devices and even “connected cars” come to mind) too easily occur because of excessive complexity, poorly designed user interfaces and a lack of security updates. Even devices whose security designs can be revised and updated face security threats if users or companies decide that it’s too complicated, confusing or expensive to continue to update them.

It doesn’t have to be that way. Simplification may be the ultimate “killer app,” and in many respects, getting there can be simple. Simplification enables connections, dialogue and innovation — and solutions that can be understood and trusted by all. Here are three guideposts to follow:

  • Think from the end (user). Simplicity is appealing, functional and powerful. Pivot your product mindset: From the marketing stage to maintenance, focus on minimizing every possible source of user confusion without sacrificing the robustness of security.
  • Make simplicity the product, not the byproduct. Confirm that everything about your device or service — design, user interface, installation and maintenance — is as simple and intuitive as possible. Clear guidance on how to configure devices securely can also reduce your users’ exposure to threats.
  • Terms of use or terms of misuse? Simplicity should extend to messaging. Communicate in plain language the consequences of the choices you are asking consumers to make. This is a perennial sore spot for end users. Keep in mind that simplicity, honesty and trust are bedfellows.

4. Trust by design

When security, privacy and simplicity are baked into your products and services, trust — the key to tapping the full potential of the IoT market — can follow.

Unfortunately, this may be the area where the governance gap is most gaping. Consumer mistrust is rife (85% say they wish there were more companies they could trust with their data and information). Concerns about facial recognition systems, smart speakers that listen in unbidden, and other elements of “surveillance capitalism” are on the rise. And as the number of IoT devices grows, so will the pressure on people to consent to ever-deeper data collection.

Individuals want more than security. They want agency, and businesses are beginning to pay attention. The opt-out world — with its unpopular practice of automatic, consent-free data collection and the digital aftermarket it feeds — may be starting to sunset.

It’s time to move from a compliance-focused “don’t do bad things with data” mindset to a human-focused “do good things with data” mindset. Here are some practices that trust pioneers are adopting:

  • Embrace opt-in, not opt-out. Apple’s new iOS 14.5 operating system is just the latest evidence of a sea change in privacy protections and transparency, making opt-in the default choice and tilting the balance of power toward favoring consumers.
  • Get ahead of the pro-privacy regulatory trend. A growing number of marquee US companies are extending data privacy protections required by California, the European Union and other regions to all their customers, regardless of residency. There’s every expectation that this trend will continue to spread, among both jurisdictions and companies.
  • Align trust with your core ESG (environmental, social and governance) principles. In our 24th Global CEO Survey, US chief executives cite cybersecurity and data privacy — both pillars of public trust — as the second-most important impact area they should measure, behind only innovation.
  • E-waste not. Doing good with data also applies to devices and their disposal. eWaste is the fastest-growing waste stream in the world. Join with the WEF, the United Nations and other supranational organizations working to make IoT devices more sustainable through design-for-life principles, including a “circular economy” for device lifespans. 

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US


Rob Mesirow

PwC Connected Solutions Leader, PwC US


Jay Cline

US Privacy Leader, Principal, Minneapolis, PwC US


Jane Allen

Principal, Legal Business Solutions Leader, PwC US


Next and previous component will go here

Follow us