IoT: Customer Security Concerns & Solutions

Since the first usage of the term in 1999, Internet of Things (IoT) has come a long way.

Present day IoT Development is inevitable in situations where an internet connection and computing abilities can be extended or applied to all kinds of sensors, devices and things of everyday use.

From driver-less cars, recipe-suggesting refrigerators, efficient electricity regulation through smart algorithms in residences, restaurants and public places, wearable gadgets that track your daily activity routine, IoT is here to stay.

At the same time, customer data protection is a major concern.

Widespread use of IoT devices makes customer data more vulnerable to easy access and misuse.

Prominent IoT workshops have lead participants to hack into a car's internal network without getting into the vehicle. Another participant hacked into two different remotely-controlled insulin pumps that then ceased to deliver medication. Similarly, intrusive access to fitness products can help track the user's exact location and thus endanger their lives.

This article discusses how the privacy of financial records, health details, personal information, etc. are at risk. It's also interlaced with survey findings about top consumer privacy concerns with regard to data selling, storage, access, and individual customer privacy. Respondents rated each of the concerns on a scale of 1 to 5. 

(Statistics sourced from Altimeter, a research and advisory company & Pew Research Center Study.)

Technology & Privacy

• 54% of the respondents' prime concern was how the data was being used to garner customer support.
• 53% wanted to know if the data was being used to innovate or improve.
• 52% wanted to know how did the data collectors identify them as part of the group.
• 58% of respondents were discomforted with the thought of data commercialization (selling user data).

Security has to play an all-inclusive role, right from inception to the product's design and application.

Below are precautionary measures to be taken to account during the creation of a device or custom software application that uses IoT:

• Initial Caution: Software authenticity can be verified using digital signatures. Just like a person's signature is valid for a legal document or a check, a digital signature ensures that only authorized software will be installed on a particular device. Precautionary measures can thus be implemented with the device still requiring protection from data-breaching elements.
• Access Protection: Access control systems are built into an operating system to allow the use of select resources required for the application. Even if any particular component is exposed, access control will ensure that the intruder gets minimal access to other system sections. Access control in devices corresponds to the mechanisms in network-based access control (Microsoft Active Directory, etc.). It implies that even if network access is gained through stolen credentials, information will be limited to the person's authorization areas. A security breach can thus be minimized by keeping individual access rights to the minimum.
• Authentication: When a device is connected to the network, auto-authentication is a key requirement. Especially before transferring or receiving data. Machine authentication is how we can ensure that devices are correctly identified before authorization. This can be done even as network access is allowed to the device, stored in a dependable, safe storage area.
• Protocols and firewalls: A firewall is imperative for traffic control, especially if device performance is directly related to it. A deeply-embedded device will have distinct protocols, different from enterprise IT protocols. For example, a smart energy power system will have its own device communication protocol. Protocol filtering specific to an industry to pick malicious payloads hiding out in non-IT protocols is another suggested step. The device specifically needs to filter data meant for termination on that particular device. This also ensures the efficient use of available computer resources.
• Updates & patches: Once the device goes live, software updates & security patches will be a constant recurrence. Again, device authentication while validating these updates is a key step. That minimum bandwidth is consumed and device safety is not compromised, is another priority. At the same time, functional safety has to be safeguarded, even as the user experience of numerous visitors remains unaffected.

Learn how IoT is bringing in new challenges for wearable technology.

Security as Work Culture

• 78% of the respondents were concerned with where would their data be sold.
• 73% primarily wanted to know where the data would be stored.
• 68% were primarily concerned with how they would be identified as individuals.
• 67% wanted to know for how much duration the data would be analyzed and who would be doing it.

It's generally agreed upon that IoT product companies are responsible for safeguarding customer security. Defining the security level is another thing altogether though.

Security level depends on several factors, like data quality, sensitivity, and possible security solution costs.

But first, companies must think a step ahead, assess privacy and security risks prior to the product set up:

• Narrowing down data collection and retention. Implementing and testing security measures before going live.
• Enforcing cybersecurity as a work culture requirement will filter down to the employees, only if precautionary measure-training is initiated.
• Creating a multilevel security layering post key risk area identifiers.
• Limiting customer network, data, and device access to select authorized employees.
• Continuous monitoring of safety precautions, patching up any security gaps during a periodic process of security checks.

For more tips on setting up a cyber security culture at work.

Resourceful Data Use

• About 66% wanted to know how the company obtained the data.
• 61% wanted to know when and how did they consent to sharing data.
• About 59% wanted to know how was the data used to customize marketing.

Collecting data, doing away with whatever is redundant is an effective trim way to protect customer data. The counter-argument is that relevant data may be sidelined in the process.

• The pro-argument: data hackers are unlikely to come after smaller data chunks. Company policy can be so framed that data collection becomes a restrained, planned process, while future data usage is predicted.
• Data collection, relevant only to the service or product on offer, in connection with its business goals is an option too. But then, limited data search doesn't guarantee data protection.
• A software framework with data collection perimeters set (what data is to be 'permitted' and 'prohibited' presets) is another feasible solution.
• Finally, if product or service providers don't find other methods useful, searching for data based on customer feedback can provide them with additional data layers.

Read about three key security challenges that IoT is confronted.

Statistics: Customer Security in an IoT-Driven World

A recent survey conducted on a select group of Americans revealed the following facts:

• 54% found the surveillance camera acceptable in the workplace to prevent workplace thefts.
• 52% accepted that a doctor could utilize a website to manage patient records and schedule appointments.
• 47% found it acceptable to use retail loyalty cards, that offered discounts on purchases while keeping track of customer purchasing habits and selling the same to third parties.
• 37% would allow insurance companies to place a monitoring device in their car to collect driving habits data, in return for discounts in insurance.
• 27% would allow a thermostat to be installed at their residence to track customer's movements within the house, learn your temperature zones and thus save on your electricity bill.

Summary

IoT devices are steadily finding acceptance. However, violations of customer privacy are an enduring threat for devices that extract and use customer data.

The chances of potential damage due to data sharing remain as unfavorable as ever. How will IoT devices evolve to counter the looming threat?