By Simon Langton, Head of Innovation and Technology, Intrinsic Technology
I worry that we are starting to suffer from Internet of Things (IoT) fatigue. So much has been said and written about these new connected technologies, yet it has so far had little impact on the vast proportion of the population. While many connected consumer devices still lie in the future, every business needs to prepare for the potential compliance nightmare that the Internet of Things represents.
It’s very easy for businesses to think that the IoT is irrelevant to them: while sensors embedded in jet engines might be a critical part of, say, an aerospace enterprise’s operations, what possible use could connected devices be to an actuary, a bank or a recruiter? That could be a dangerous way of thinking, because every organisation will be affected by the Internet of Things.
They might not rely on connected devices in their line of business, but as consumer IoT technologies become commonplace in the home, employees will be accessing their connected security systems, smart meters and building automation technologies through web or mobile apps. The first generation of connected consumer devices represent a significant security risk because they are unlikely to incorporate the same security safeguards, such as monitoring and patching, as the corporate world demands of its IT equipment.
When IoT traffic crosses corporate networks (for example, with employees interacting with their connected devices on work devices) it risks leaking confidential business data, creating significant compliance problems. And that’s why the Internet of Things is everybody’s business.
How does the organisation know that these employee devices are not compromised? What are the rules about accessing connected technology from work? How does this affect compliance? Given that many IoT devices will be running embedded firmware – designed and built by a multitude of manufacturers who have no incentive to patch systems once they have been shipped – –how can we prevent the Internet of Things from turning into BYOV (“Bring Your Own Virus”)?
Businesses that start to plan a corporate compliance strategy today will be better placed to avoid the potential pitfalls of the Internet of Things. The good
news is that this won’t require an entirely revolutionary approach. Much of the existing compliance frameworks will cover off many of the important requirements. Nevertheless, there are likely to be several significant differences.
First of all is the issue of devices such as Google Glass that are specifically designed to record information. Much has been written about the dilemma surrounding correct etiquette for this type of wearable technology (with even Google telling its users: “Don’t be a Glasshole”), but businesses must also establish when it’s appropriate to use connected devices in various physical locations, and whether or not enforcement is possible.
One possible solution is to use the greater resolution that will be afforded by Europe’s new global positioning system Galileo. This could enable organisations to block devices’ recording function in sensitive locations within the business, such as the laboratory or the boardroom, while making recording available on other parts of the premises.
In the short term, however, there will be few enough technical tools to ensure compliance. The problem with new consumer technologies is that they often do not take account of issues such as security and compliance. Given the lack of consumer demand for device security, and considering the cost and complexity of developing and integrating these features into the finished device, it is not surprising that manufacturers try to save costs and time by leaving them out.
Organisations need to undertake a review so they can establish when, where and how they want to block or enable connected devices. They then need to look at what systems – whether technological or disciplinary – can realistically provide the necessary protection before deciding on whether to allow the use of connected devices, including wearables. If an organisation decides that the Internet of Things simply presents too much of a security risk, it will be perfectly within its rights to ban the use of these devices on corporate networks and premises.
Paradoxically, if a large enough proportion of businesses restrict the use of connected devices, it could prove to be a much needed fillip to the IoT. After all, if workplace bans become the norm, then it will provide a much needed incentive for manufacturers to incorporate functions that will help organisations to identify the device that is accessing their networks, rather than just the person using the device.
These will include solutions for user access control such as enrolment and certificates that ensure that only trusted devices can connect – not just any person using the device. What’s more, as connected devices proliferate, we need to acknowledge the problem of ‘chaining’ via mobiles. A smart watch might be restricted from accessing corporate networks, yet it might be linked to its owner’s phone, providing a backdoor into the business.
We must also solve the dilemma of security v. usability. The Internet of Things is geared around quick and easy access such as voice control. The corporate standard for secure access is strong authentication, so we need to find a way to combine usability with security. This is already possible through technologies such as biometrics-based two-factor authentication, but it needs to be embedded as standard on connected devices. - Furthermore, there is the issue of how effectively compliance requirements can be passed onto the cloud services that power IoT technology. The Internet of Things will multiply the amount of data that is created, transmitted and stored; how this monitored and who takes responsibility for this information will be critical to a wide acceptance of the IoT in businesses.
These are just some of the issues that need to be addressed before connected devices are tolerated by enterprises. The problem for device manufacturers is that they cannot necessarily anticipate these issues. If businesses collectively undertake a review of potential compliance problems caused by the IoT, however, then manufacturers will understand how to make their devices acceptable for the enterprise.
If the move to BYOD has shown us anything, it is that businesses cannot afford to take a ‘wait-and-see’ approach. Organisations must be prepared for how the Internet of Things will affect them, even if the devices themselves are not yet in their workers’ pockets, their kitchens and their cars.