The internet of things (IoT) has gone beyond being simply a passing trend over the years and has proved to be a mainstay across various industries and in numerous households. In the right hands, the IoT has the potential to improve the lives of its users. However, the increasing popularity of the IoT makes it a tempting avenue for cyberattacks. In fact, according to a survey done by Gartner, almost 20 percent of organizations have observed at least one IoT-based attack in the last three years.
At the moment, the bulk of IoT security falls heavily on the users of IoT devices and applications, be they organizations or individuals. According to the same survey, organizations are predicted to spend US$1.5 billion on IoT security in 2018, a 28-percent increase from the US$1.2 billion in 2017.
With billions of IoT devices already in use, and more projected to go online, security is an issue that warrants more attention. In addition to the measures organizations must already be taking toward preserving and securing their own IoT systems, a well-rounded approach with the help of regulation can help ensure maximum protection.
Security as a shared responsibility
Regulation can play a crucial role in aligning key players of the IoT under one goal. Regulatory bodies can impose shared responsibility over the IoT, starting from the manufacturers of IoT devices and also involving their users. Having set rules can also clarify liability with regard to inadequate security for IoT devices. Liability can be a strong impetus for manufacturers to continuously improve security, and can protect users in cases of data breaches and other incidents concerning IoT devices.
The influence of governments and their respective regulatory bodies can help ensure a culture of security when it comes to IoT systems. Regulation can promote best practices and guiding principles on the development and deployment of IoT devices even on a global scale.
Aligning with data protection regulations
The IoT is a network of devices and other entities that primarily deals with the receiving and sharing of data in order to perform its automated tasks. As such, it falls within the purview of other data regulations.
A particularly relevant data regulation, one that is being paid close attention to this year, is the General Data Protection Regulation (GDPR), developed by the European Union (EU) and set to be enforced in May. With its broader definition of personal data and stricter data subject control, some data processing involving IoT systems may be put into question. Under the GDPR, user consent must be given before any sort of user data processing can take place. Data processors and controllers that make use of IoT systems, therefore, have to consider at which part of the systems it would be necessary to ask for user consent. Because of the connected and automated nature of the IoT, however, this may be difficult to pinpoint.
The GDPR also puts an emphasis on security and privacy of data, with its "privacy by design and default" facet. Applied to IoT systems, this aspect of the regulation requires privacy and security to be embedded in IoT devices as early as their development stage. Privacy must also be imposed by organizations that use the IoT to create systems of connected devices that process personal data.
Regulations like the GDPR use broader terms and do not have specific requirements on the methods used to ensure privacy and security. Creating rules and standards for IoT devices that align with broader regulations can help simplify compliance for organizations that make use of the IoT and have responsibilities under multiple regulatory bodies.
Current IoT regulations and guidelines
Current IoT regulation may not be far behind with several guidelines and regulations having been introduced over the years. In the U.S., the Federal Trade Commission (FTC) has released a set of guidelines for businesses to follow to better protect consumer privacy and security. The FTC’s guidelines have recommendations including the use of multiple layers of security, as well as security by design. The U.K. has also released a set of guidelines to make internet-connected devices safer and recently published a report on privacy by design for IoT devices.
The U.S. has also introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill does not put direct requirements on IoT device manufacturers, but it does direct government agencies to include clauses in their contracts that demand security features for any IoT devices that will be acquired by the U.S. government. At present, this bill is yet to be passed.
The EU, meanwhile, has its directive on security of network and information systems, which may affect the IoT. This legislation concerns EU member states and has the goal of boosting overall cybersecurity. It acknowledges the importance of the internet in facilitating the movement of goods, services, and people.
IoT best practices
Regulations, if created effectively, can push industries to take initiatives in IoT security, by clarifying accountability and strengthening information sharing among all entities that involve the IoT in their businesses. In the meantime, while some regulations for the IoT are yet to be finalized, carrying out best practices when it comes to handling IoT devices still remains in the best interest of IoT stakeholders. Organizations must already be taking action in protecting their IoT systems, to help uphold both functionality and security.
Here are a few measures organizations and manufacturers that make use of the IoT can take to ensure protected systems.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.