No software is 100% secure, and Internet of Things technology is no different. However, because of public perception it is even more important for the IoT industry to find “adequate” safety standards to meet businesses’ and consumers’ cybersecurity needs.
During my discussions with the experts who will be on the panel at the IoT session at DLA Piper’s European Technology Summit on 28 September 2016, among the most keenly anticipated topics is the need to ensure cybersecurity of IoT devices and address misunderstandings around the ability to create totally secure systems.
Recent news stories about connected cars being hacked were hardly positive PR for IoT technologies. But is hacking just an issue for IoT, or is cybersecurity a broader issue?
There is no 100% secure software
According to a report by Symantec, there were more than 430 million new malware variants in 2015 with 318 total data breaches and more than 429 million identities exposed to cyberattacks.
Despite companies’ investments in cyber security, there will always be bugs in software – which represent potential avenues for cyberattacks. Besides, most cyberattacks are caused by human error. Therefore, security measures can never be enough if they are not accompanied by adequate internal policies that prevent misconduct.
Excessive security standards cannot be imposed
The data above shows that the risk of a cyberattack
is not a question of if, but when
for any company. The negative publicity around IoT may, arguably, be due to cultural issues rather than higher risks. However, some argue that addressing potential cyber-risk issues caused by cultural issues should not be a financial burden to be shouldered by IoT companies.
If the security measures required for IoT companies are too costly, they will become a barrier to entry to the market and would prevent some IoT companies from launching products. And no amount of investment will make a company completely immune to cyberattacks.
One possible solution is for manufacturers to offer – or be obliged to provide – insurance to customers, as some car manufacturers are planning to do for driverless vehicles. But who will pay for such additional cost?
Security standards have to be adequate and certain
The EU General Data Protection Regulation requires companies to comply with a security standard that is “adequate” for the risk arising from processed data. And with sanctions for the breach of such obligation up to 4% of global turnover, the question is what is an adequate standard of security?
A standard of security might not appear to be inadequate just because there are very skilled hackers able to attack it. At the same time, the industry cannot afford such uncertainty – and it cannot afford too costly standards.
The IoT industry needs certainty. This might be achieved by setting standards of security and of internal organisation that are validated by public authorities and become a certification requirement for IoT companies.
Compliance with the required certification would represent a substantial protection against claims for companies investing in IoT. At the same time, it will become easier to spot those that do not comply with such standards and need to be sanctioned without waiting for next smart hackers.
If you found this article interesting, please share it on your favourite social media!