Over 60% of attendees of the iaconnects webinar hosted by EnOcean selected security as one of the main blockers for getting an IoT project off the ground.
Security in IoT projects, from Proof of Concepts (PoCs) to full scale roll outs have traditionally been a significant factor in delaying or preventing deployment. There can be several reasons for this:
- Potential intrusion of privacy for employees
- Potential for compromising existing information security policy
- Poor engagement between IoT project owner and information security (infosec) department
- IoT products have a poor security reputation
Potential intrusion of privacy for employees
Monitoring desk, room or common area occupancy are all aspects which employees may not be particularly happy about, with fear of being "spied on" to check how long they are working for. In reality, most organisations install these solutions to benefits the employees themselves e.g. having the ability to book a desk or meeting room. However, even if solutions provide a benefit to employees, any that include elements such as camera based devices could potentially be in breach of GDPR if employees are not informed that these solutions will be installed.
Potential for compromising existing information security policy
Existing policies or procedures for transferring raw or processed data outside of the company’s networks or infrastructure, along with installing unapproved equipment may well be a blocker. This may be seen as stifling innovation vs protecting the business, these are both valid approaches and a mature approach to risk assessment and management is the best way to forage a path forward. Overcoming this in practice is best done with early engagement between the policymakers and business units that are hoping to deploy the IoT project. Focus on the business needs or benefits rather than the technical solutions to drive the conversation in the right direction.
Poor engagement between IoT project owner and information security (infosec) department
Integrating with existing enterprise networks, although increasing engagement time and costs, provides control and visibility of solutions to the infosec department. This is becoming an ever more popular way of working however, before embarking on such a process, it is critical that the IoT project owner and infosec department are aligned.
IoT products have a poor security reputation
IoT products can often have less stringent testing and quality assurances (QA) processes compared to traditional IT Enterprise technologies, and therefore have a poor reputation. Successful Proof of Concepts (PoCs) are the best way to combat this poor reputation so setting them up in a way that makes it hard for them not to succeed in delivering their planned goals. Doing this at small scale of say one floor or small business unit is much easier to do than trying to engineer a company wide solution. In doing so though be prepared to have to undo some of that PoCs work to be able to scale it out. This should be viewed not as a backward step but one of iterative improvement of the solution.
How can you overcome security concerns when building IoT solutions?
All the aspects described above should be considered from the very start of the project. Some key points to consider include:
- Include multiple stakeholders in the planning and decision making process
- If an organisation will only allow certain device types on the network, only specify those products that will be accepted
- Build a solution that is in line with existing infosec policies
- Run a small PoC before a full scale rollout to combat out any unexpected issues and update the full scale solution accordingly
- Contact iaconnects so we can help you understand your needs and use our MobiusFlow software as the control layer for your IoT projects
MobiusFlow is an IoT Edge Platform developed over the past 15 years by IAconnects Technology Ltd (iaconnects) to allow non-manufacturer specific connectivity of the internet of things (IoT) to the cloud or local computers. It can work in the cloud, on closed secure networks, Wi-Fi based systems or utilise its own data connection (3G/4G) when used in conjunction with IA’s custom hardware. You can find out more about MobiusFlow here.