The Internet of Things (IoT) is poised to be a transformative technology. As the inevitable result of boundless possibilities of the internet, it will generate and employ a vast sea of rich data on anything and everything that can be connected to a digital system — further dissolving the boundary that separates the online and offline worlds.
This connected future is realistically unavoidable (it’s already happening, after all). But it’s still some way off. And it’s an exciting time for startups willing to plan ahead. They can take some time to explore and experiment with IoT technology so that they get a grip of it before it becomes the standard.
But with the massive potential of IoT devices comes a similarly large array of risks. Especially when it comes to cybersecurity. But why? And what do startups need to know about the security of IoT technology before they fully embrace it? Let’s answer these questions.
IoT devices open up countless points of vulnerability
Imagine that you ran a large family business and heard about a cost-effective team of remote freelancers. If you hired them, they would greatly aid your operation without incurring significant costs or getting in the way. But could you trust them? It only takes one weak link to severely compromise a chain, after all. And you likely couldn’t rely on them to follow your security policies. Give someone a keycard to enter your office, and they could lose it, or have it stolen.
In much the same vein, the introduction of myriad IoT devices to a formerly-secure network greatly increases its exposure to danger. The communicative channels that must be left open for devices to exchange data could plausibly be co-opted for nefarious purposes, and small devices could be taken, modified, and replaced to leak data or serve as backdoors for later invasion.
And even if your devices are physically secured and your network is locked down, an IoT device can still pose a major threat, as we’ll see next.
Having a strong update system is mandatory
Every IoT device runs on a firmware that determines how it interacts with other devices and systems. And software of any kind can contain basic vulnerabilities. Any given operating system invariably hits the market with numerous security holes that are subsequently patched incrementally (often only after hackers have identified the issues). But patching is a complicated task for IoT devices.
Security updates can be carried out manually or pushed automatically. Although each method invites difficulties. Manual updating can be awkward enough for a standard office but becomes enormously more complex when accounting for greatly-expanded IoT device ranges. If just one device is overlooked, the vulnerability that required the update in the first place remains unresolved.
And while automatic security updating is more convenient, what happens if a device loses connectivity while its update is being pushed? You could configure a system to reject any device attempting to communicate while using outdated firmware. But that could be tremendously impractical if not arranged optimally. Finding the right balance between security and operational viability is a challenge at the best of times.
We’re awaiting a robust IoT security standard
The legal world has yet to fully catch up with matters of personal data privacy (the implementation of GDPR earlier this year was a notable advance, but not a global solution). It should come as no surprise that there are currently no security standards for IoT setups. This is in itself a reason for concern. If you moved too heavily towards using IoT devices and suffered a security problem, there would be no protocol for addressing it. What right would you have to seek compensation from the provider of a vulnerable device? It would need to be argued at length in court since this remains unexplored ground.
At the very least, efforts are being made to introduce laws and regulations that can cover this area. The U.S. Congress read the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 last year. The U.K. government is aiming to move more responsibility for IoT device security from the end users to the manufacturers. But this consideration doesn’t amount to tangible progress, and it’s probably going to be a while before we see anything implemented. The GDPR didn’t come into effect until over two years after it was finalized.
Hopefully, we’ll reach a point at which investing in a range of IoT devices and IoT technologies will be no different from buying a website for your business. The important factor will be the provider and choosing a trustworthy tech company will be enough to ensure that all major security issues are handled on your behalf.
You should experiment with IoT technology — but carefully
It wouldn’t be unreasonable to conclude from everything we’ve looked at thus far that IoT technology should be avoided entirely. That is until all the technical and legal quandaries have been solved. But I suggest going down a different route.
Instead of factoring IoT devices into your fundamental business model, look at them as interesting accessories — use them for entertainment or light assistance in areas that don’t require high security.
Having a full-fledged and all-encompassing IoT-driven business today isn’t actually all that valuable. There are various reasons for this:
- IoT technology feeds off connectivity, and until the tipping point at which it becomes standard fare, its broader applications will be limited.
- At this early stage, it could cause confusion and introduce more problems than it solves.
- By the time IoT systems become mainstream, the hardware will have significantly matured, so an early investment is unlikely to provide lasting value.
The best thing a startup can do to prepare for an IoT-driven future becomes familiar with the concepts and the technology. Play around with ideas to identify ways in which you might be able to bolster your business with IoT technology down the line and create closed networks with secured devices to get a feel for how they work.
Any ambitious startup (in the tech field or otherwise) can benefit most extensively from preparing for the IoT revolution without trying to make it broadly workable today. If you keep an eye on the industry, you can stay apprised of its level of maturity, and identify the point at which it is secure enough to be fully embraced.