The Internet of Things connects a wide variety of devices – from kitchen appliances to smartphones – to the Internet and to each other. Through sensors, software and processors, these devices then exchange information to perform certain functions, making everyday tasks simpler by learning and anticipating users’ needs.
The convenience and services consumers seek from their IoT devices require “fuel”—and the IoT devices that provide the fuel are data. IoT devices are constantly collecting and exchanging sensitive data. Therefore, a pressing priority for any company producing technology for the IoT is data security. Below, 16 of its members Forbes Technology Council share strategies to help IoT companies ensure the best possible data security in their newest products.
1. Implement Zero-Trust security
IoT providers should implement a zero-trust security paradigm that requires teams to eliminate implicit trust that bad actors exploit for attacks. It should be applied to all areas of IoT ecosystem design and implementation, increasing product security posture. – Raj Utraja, Gore Mutual Insurance
2. Prioritize the security of your operations and those of your suppliers
Manufacturers cannot protect customer data without securing their own operations. In addition to IT security measures to protect customer data, companies using IoT technologies must prioritize the security of their operations and their suppliers through strategic partnerships and broad collaboration. Visibility and monitoring are key to ensuring business continuity. – Ryan Moody, ABS Group of Companies, Inc.
3. Secure data throughout its lifetime
For IoT companies, security needs to be considered from the start, and data security means looking at how data can be secured throughout its lifecycle. Security must be considered when data is generated and collected, and when and where data is transmitted and stored. Policies should be developed and enforced for the secure use of data throughout this process. – Tim Lew, Hillstone Networks
4. Examine device, network, and support system vulnerabilities
There is no “one size fits all” approach. Risk must be mitigated across the entire IoT lifecycle to include vulnerabilities in devices, networks, and user and customer support systems at the individual level. Encryption should be used judiciously at each data point. – Bankim Chandra, Dotsquares LLC
5. Add a cybersecurity SME to your design team
The key to ensuring your products are secure is to design with security in mind from the start. Your product team should include a cybersecurity expert. They should participate in the design discussions, daily standups, and code reviews of any new product or any new feature added to an existing product. – Jeffrey Ton, InterVision
6. Continually evaluate security and reliability
The IoT application platform must be “bulletproof”. Almost all of today’s technology-based cyber threats exploit vulnerabilities in application and operating system code. An IoT developer must constantly evaluate the security and reliability of their product, end-to-end. Additionally, they must collect cyber information from the dark web about their product and embedded components. – Howard Taylor, Radware
7. Encrypt data in use, in motion and at rest
In addition to building a thorough human culture of cyber readiness, all companies producing IoT technologies should encrypt data in use, in motion and at rest. The data should also be physically “air-vacuated”, meaning backups should be stored offline and off-site. – Tara Anderson, Frame safety
8. Take an end-to-end security approach
Due to the complexity of IoT, CIOs should take a comprehensive security approach to keep IoT solutions secure. I recommend determining your current security maturity model level first. Then determine the actions needed to move to the desired stage while addressing tactics, issues, and needs based on the gaps. At Microsoft, we follow it IoT Security Maturity Model physician’s guide. – Pablo Junco, Microsoft
9. Choose the appropriate cryptography based on your use case
Encrypt everything, everywhere, anytime. This means encryption at rest, in transit and, when possible, in processing, using cryptographically sound cipher suites. It’s also important, however, to choose the right cryptography for your use case—knowing when to use stream versus block cryptography so you don’t destroy performance. You don’t want a fantastically safe product that no one uses. – Saša Zdjelar, Salesforce
10. Make sure your data storage services have a proven track record
It is absolutely essential for a company to know where their customer data is stored. In the absence of in-house capabilities to provide top-notch digital and physical security for proprietary data, external services can be leveraged. But make sure the company providing these services has a proven track record of maintaining a high level of data security. – Chidan Shah, Brainvire InfoTech Inc.
11. Anonymization of Sensitive Data
Companies need to protect data at the source, and for an IoT company, an effective approach is to integrate data-centric protection into the analytics pipeline. This means anonymizing sensitive data using masking, encoding and encryption depending on how that data is used downstream. Protecting data when it is created and throughout its lifecycle helps companies comply with data privacy laws. – Ameesh Divatia, Baffle, Inc.
12. Work closely with hardware manufacturers
Work closely with IoT chip and firmware manufacturers. These companies invest in PSA Level 3 certifications and use advanced techniques such as physical functions that cannot be cloned and separating the IoT device operating logic from the software. Leverage the smart people in the hardware world to beat the script guys. – James Bickham, ALTR
13. Allow only authorized access to data via Zero-Trust, End-to-End encryption
With the increased use of IoT these days, enterprise systems are more susceptible to data breaches as threat landscapes evolve at a rapid pace. The only solution to this is zero-trust, end-to-end encryption that allows only authorized access to data. The use of smart devices and embedded systems along with IoT gateway encryption and cloud data centers with remote servers is essential. – Dharmesh Acharya, Radixweb
14. Hire third-party security experts and auditors
There must be a multifaceted approach to all new developments. Have a security expert as part of the team—they should be involved in the entire program, from architecture development and design to code reviews and product releases. Also, consider using an external third party for pen testing and any other security testing that makes sense. Finally, pay an independent third party to hack the program. – Jay Marshall, EyeLock LLC
15. Create the need for regular password updates
Make sure you have a process in place that prompts the user to change their password to one that contains letters, numbers, and special characters and updates them every 60 to 90 days. This will ensure that the user’s data is protected on the device. – Margarita Simonova, ILoveMyQA
16. Establish Transparent Data Security Policies
Data protection will define the future of IoT. Sensors are constantly generating and cross-referencing data. A transparent policy for handling cybersecurity issues, overseeing access to devices, and determining the physical and logical identification of devices—as well as conducting regular audits—is key. With six IoT devices for every person on the planet, the streamlined data processing that is IoT leaves no room for error. – Robert Strzelecki, TenderHut