Three Ways to Reduce Risk While Transitioning to IoT

The Internet of Things is redefining security, risk and cost at many public and private enterprises. Thankfully, new best practices for risk mitigation, privacy protection and cloud management have emerged.
By Maria Horton

This transition poses a host of new threats and challenges. New access points, new transmission types and new data storage centers all provide ways for adversaries to infiltrate the system and steal your most valuable data, intellectual property or trade secrets. Technology teams will need to implement a completely new approach to security, and can no longer simply buy a plug-in or an add-on to an existing system for protection.

Commit to Next-Generation Risk Assessments
From a business perspective, ongoing assessments of risk and regular reviews of security processes and policies are necessary to demonstrate due diligence in protecting the data. Risk assessments for IoT devices will likely require the inclusion of specific metadata controls—derived information controls, including designations of data ownership and/or claims of non-responsibility for third party information uses. These risk-assessment methodologies will likely undergo the most change during the next one to three years as implemented IoT technologies provide new lessons learned and case studies. Additionally, new security controls and processes will be required, as well as a greater awareness of complex and compounded risk management.

Liability, financial penalties and costs will also become more directly assessed as part of IoT-related risk.

Understand Emerging Obligations for Data and Privacy Protection
From a big-picture perspective, the global debate regarding the meaning of privacy in a world of greater transparency has only just begun, and businesses have yet to adapt to new trends and regulations. Technologies like the IoT are redefining the rules around data ownership and protection. Key to this transition will be any regulations from the Federal Trade Commission (FTC) on consumer protections.

As the FTC and other compliance-setting agencies define tighter rules surrounding data privacy, businesses need to understand their obligations and liabilities. The true IoT end-users—business divisions, marketing groups, and other internal and external service groups—will consume smart technology and enterprise data in new ways. The managers and administrators of IoT systems need to be adequately informed regarding how the data is being collected, who has access to it, and how it's being stored and secured, in order to protect privacy agreements and proprietary information.

Similar to the Cybersecurity Framework, established by NIST, that offers common standards and foundational security best practices, the government can be instrumental in guiding the formation of IoT security controls. Much like the implementation of the first Federal Information Security Management Act (FISMA) of 2002, there will be some struggles to address governance, compliance and adaptations to the guidance currently in effect. To accomplish that, government agencies will, first and foremost, need to learn from their past and lead by example.

Maria C. Horton is the president and CEO of EmeSec, a cybersecurity professional services firm. Horton founded EmeSec in 2003 after retiring from her post as a CIO of the U.S. Naval Medical Center.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations