The Internet of Things (IoT) continues to reach into and connect ever more nooks and crannies of daily life. A report by the World Economic Forum (WEF), researched in collaboration with PwC, warns that when it comes to governance, that thick web of connections has plenty of gaping holes — and the gap between IoT’s potential risks and the structures needed to mitigate them is widening.
No surprise there: Standards and laws usually lag behind technological advances. But when a technology is as pervasive, indispensable — and unstoppable — as IoT, the stakes are so much higher.
In its report, State of the Connected World: 2020 Edition, the WEF stresses the responsibility placed on IoT device makers, service providers and industry groups to address these governance gaps. The findings are grounded in both quantitative and qualitative research gleaned from a survey of nearly 375 stakeholders — supplemented with interviews with more than 50 IoT experts — across a wide array of regions, sectors and employment levels, as well as academia and private citizens.
We build on that central premise here in the risk areas identified as having the highest impact: safety and security, and privacy and trust — issues that cross geographic boundaries and touch consumers, enterprises and governing bodies alike. It’s not an unfamiliar refrain. In our 2019 IoT survey, businesses cited concerns about cybersecurity and privacy concerns and an uncertain regulatory environment as the biggest drags on IoT’s potential.
The WEF report does contain some good news. Both industry groups and governments are actively working to respond to the risks uncovered here — and they’re seeing some real traction.
Many businesses still operate as if security and privacy were optional. But they aren’t, as the surge of cyberattacks in 2020 and the growing revulsion around perceived privacy abuses have taught us. For those who want to break away from old habits, how should they proceed? The key is to build in four basic principles, by design.
What makes IoT so promising also makes it extremely vulnerable. IoT is complex and huge with billions of data-collecting endpoints — some with flimsy security — connected wirelessly to the cloud and controlled by sophisticated software programs across multiple jurisdictions. Identifying the root cause of a cyber attack is difficult because of the decentralized and sprawling nature of the networks. Little wonder that bad actors have had a field day exploiting it.
It’s hard to ask consumers to be the first line of defense against IoT cyber threats. Most lack the technical knowledge or patience to carefully assess the security and privacy features of the shiny objects and services they are drawn to — let alone to maintain the security of those connected devices and services. And they could be flying blind. Statutes requiring notification of data breaches generally don’t apply to IoT security issues.
Manufacturers and service providers still operate in a kind of Wild West, navigating a fragmented landscape of laws and standards. There’s no reason to wait. The time to get ahead of the curve — and “own” security by design — is right now. Here are four actions you can take:
Get ready for new guidelines. Prepare for the rollout of new legislation, including the recently enacted IoT Cybersecurity Improvement Act of 2020. Although the new law calls for standards for federally owned or controlled devices that connect to a federal information system, its effects may well ripple through the consumer IoT market.
The sheer scope, volume and intimacy of data being surrendered by humans to devices every day is staggering. Who is collecting, connecting and sharing these oceans of daily data? Who is responsible for safeguarding access to these billions of bits of sensitive information?
Privacy regulations stretch across jurisdictions in a fungible value chain. The task of navigating that patchwork has largely fallen on manufacturers and service providers. Consumers, unfortunately, generally have little transparency, let alone agency, into what happens to their data downstream of its capture. As it is, many struggle with the parameters that are within their reach. According to a recent Consumers International survey, only half are aware of the settings on their devices (smartwatches, smart speakers, smart TVs, etc.) that control data collection.
As evidenced by double-digit growth rates, consumers want IoT devices — but not at the expense of their privacy and safety. Nearly two-thirds of consumers in the same survey said they find the way their connected devices collect data about their personal habits “creepy.”
Clearing the “not-creepy” bar should be only the first step, but it’s an essential one. Here’s where to start:
Unlike the internet, which is built on a single set of internet protocol technologies, every IoT environment operates on its own data and platform standards. The added complexity and cost brought about by this lack of interoperability can create all kinds of headaches — from structural inefficiencies and slow implementations to security risks.
It may be that the technology we rely on has itself become too complex to handle — complexity that, by its very nature, begets risk.
Highly publicized breaches (home security cameras, “smart” devices and even “connected cars” come to mind) too easily occur because of excessive complexity, poorly designed user interfaces and a lack of security updates. Even devices whose security designs can be revised and updated face security threats if users or companies decide that it’s too complicated, confusing or expensive to continue to update them.
It doesn’t have to be that way. Simplification may be the ultimate “killer app,” and in many respects, getting there can be simple. Simplification enables connections, dialogue and innovation — and solutions that can be understood and trusted by all. Here are three guideposts to follow:
When security, privacy and simplicity are baked into your products and services, trust — the key to tapping the full potential of the IoT market — can follow.
Unfortunately, this may be the area where the governance gap is most gaping. Consumer mistrust is rife (85% say they wish there were more companies they could trust with their data and information). Concerns about facial recognition systems, smart speakers that listen in unbidden, and other elements of “surveillance capitalism” are on the rise. And as the number of IoT devices grows, so will the pressure on people to consent to ever-deeper data collection.
Individuals want more than security. They want agency, and businesses are beginning to pay attention. The opt-out world — with its unpopular practice of automatic, consent-free data collection and the digital aftermarket it feeds — may be starting to sunset.
It’s time to move from a compliance-focused “don’t do bad things with data” mindset to a human-focused “do good things with data” mindset. Here are some practices that trust pioneers are adopting: