Minimizing IoT Security Liabilities

This blog post was originally published to the IoT Agenda Network here.

While the majority of the work today in the internet of things is occurring in transportation, infrastructure and environmental sectors, many business consulting, marketing and consumer-focusing companies are looking at IoT as an important pillar to successfully leverage (and monetize) big data.

IoT drives interconnectivity of businesses, people and technologies across the internal enterprise and their external ecosystems. As a result, businesses leveraging IoT face new lines of operations and business intelligence, as well as unique ways of delivering services and products.

With all of the internet-connected devices, sensors and appliances establishing unique benefits, many enterprises implementing pilot IoT services and deliverables will face corporate governance issues related to the collection of personally identifiable data.

As IoT devices are often connected to cloud-based computing systems and third-party infrastructure, companies will need to reexamine and expand or adjust security policies and protocols for data protection. Another complicating factor in standardizing and operationalizing IOT security practices are industry-specific regulations such as HIPAA or NIST 800-171 that necessitate the establishment and the continuous reinforcement of security controls.

IoT could change the security paradigm

The implications of privacy protection issues in the IoT arena have the potential to extend due diligence considerations for CEOs and board liabilities. The c-suite must determine and consider new accompanying liabilities, cybersecurity investments and the privacy implications of the information, data and analysis both in the United States as well as globally.

Due diligence suggests that the c-suite should review privacy protection capabilities and claims by partners and providers to minimize liability risk. Whether physical tools, marketing dashboards or streaming data analytics, corporate executives and IT leaders will need to consider which streams of information contain personally identifiable information (PII) or intellectual property, and beginning in December 2017, organizations must also consider the controlled, unclassified or controlled technical information that may be transiting their infrastructures.

The likely outcome of IoT enterprise integration will be the establishment of new information protection practices related to non-centralized computing at the “fog” and “cloud” locations. As a result, there will be a need for creative pre-engineered defenses, liability mitigation awareness and isolation techniques for meeting early-stage IoT business strategies. New aspects of reviewing and continuously improving training and awareness, risk assessments, auditing and accountability, and incident response communications need to become standard contractual requirements for IoT.

In most instances, these new practices will need to be designed into the system using virtual automated components to keep up with the flow of IoT, cloud and information. For many companies, integrating IoT will require further research and an understanding of how the interconnections between IoT conflate with cloud, business processes and PII.