Welcome to the latest blog in our series on how to start a brand-new Internet of Things (IoT) business.
Today’s is examining an absolutely crucial – yet all too often neglected – facet of bringing a new IoT offering to market – security.
The first security hurdle for many IoT start-ups is that it simply isn’t a core specialism. They might have the best product designers available, but if in-house cybersecurity expertise isn’t available, then corners are liable to be cut. Too many IoT businesses may have compelling ‘connected product’ offerings – but the combination of an open standards architecture, with security added as an afterthought and not built-in by design, they are often ripe for cyber attacks.
So, from the very beginning, you need to be honest about the level of cybersecurity awareness, expertise and experience that you have available – and then either hire appropriate talent or seek out external consultancy. This is the only way of being confident that your new IoT product is being developed with robust security baked in from the ground up. New regulatory frameworks and standards like the EU’s General Data Protection Regulation (GDPR) are increasingly demanding ‘security by design’, so you’ll save a lot of time, money and complication if you can demonstrate this from the outset.
However, simply handing over responsibility for the security of your IoT product to a specialist isn’t enough. It’s still wise to educate yourself as to some of the basics of security in IoT contexts. Here are four key ideas.
Accept responsibility for security at boardroom level
Outsourcing your security or handing over responsibility to a Head of Cyber Security isn’t good enough. Cyber security should be a permanent installation on the boardroom agenda. It should not be an add-on or afterthought any more than the financial health of the company should be. Typically, discussions should be led by the CISO, introducing current projects, the wider threat landscape and mentioning any challenges or problems from the previous month.
Be prepared for the consequences of security ignorance and ineptitude at the c-level. The Equifax CEO was recently forced to resign due to his role in a preventable massive data breach. No one is immune to scrutiny.
Assume low user awareness – and implement education
Many headline-grabbing stories relating to IoT security are at the consumer end of the spectrum – shoppers happily buy a smart TV or a home security system, and fail to change the default password, for example. Some of the fault here lies with the consumers – but manufacturers have a responsibility to guide their customers to best security practice. Design your products so that users are alerted to good security practice – don’t allow a default password to remain in use for more than 24 hours, for example. And ensure that any user manuals or instructions assume a low initial level of security knowledge
Adopt a data-centric attitude
A great deal of innovation in the IoT space stems from devices being able to collect and analyse previously ignored data – from the temperature of a home to the location of a vehicle. But data interception lies at the heart of a great deal of cybercrime. Adopting a data-centric approach to IoT product design means two things. First, being extremely precise as to which data actually needs to be collected – and not collecting any more than is required. Second, thinking about the data chain, from collection, through transmission, to storage and analysis – and ensuring that data is properly protected at each stage in that chain, using mechanisms like encryption and perimeter protections.
Consider the security of your partners
No new IoT business sits in a vacuum. The very nature of the Internet of Things depends on chains of businesses working together, from the manufacturers of connected devices, to the software developers that provide IoT analytics and management platforms, to the companies that deliver cloud and networking services. When starting a new IoT business, it is essential that you remember the security of your own offering is typically only as good as those businesses you are joined onto. The same goes for any contractors or third parties you work with to actually develop your product. Hold all third parties to the same high security account.
Enjoyed this blog? Why not take a look at the rest in our ‘Starting an Internet of Things Business’ series?
- Initial idea and product design – click here
- Marketing and selling – click here
- Financing – click here
- Evolving the user experience – click here