There’s no doubt that emerging technologies are improving both the lives of individuals and the opportunities for businesses around the world. What is in doubt is whether those technologies can be trusted with our security and privacy.
Internet of things (IoT) presents a particularly tough dilemma, because each of the thousands, millions or billions of “things” that collect and transmit data can pose a security or privacy threat, potentially infiltrating a corporate network and exposing confidential information. To prepare and defend themselves, their customers and their employees, companies need to rethink their existing IoT security and privacy practices.
Balancing these potential risks are IoT’s abundant benefits: gaining customer insights, increasing revenue and profits, enhancing customer experience, boosting employee productivity, developing more innovative products, upgrading cybersecurity, improving decision-making, strengthening supply chains and enhancing business operations.
The question this risk-versus-reward dilemma raises is: Are the documented benefits of IoT worth the potential risks? According to 93 percent of approximately 1,000 US executives recently surveyed, the answer is a resounding “Yes!” For them, the rewards definitely outweigh the risks. However, these execs are not so blinded by IoT’s opportunities that they ignore security and privacy threats. In fact, the majority of companies surveyed are taking, or planning to take, steps to mitigate these risks.
Taking action to manage risks
The executives surveyed acknowledged that they are undertaking — or need to undertake — effective measures to deal with IoT-based privacy and security threats, but some companies are being more aggressive in this area than others. In cybersecurity, for instance, 80 percent of the most proactive firms, whom we call trailblazers, are taking steps to build trust, compared with only 38 percent of companies that are slower to move on this. In the area of privacy, 69 percent of trailblazers — but just 31 percent of laggards — are enacting measures to mitigate threats.
Trailblazers are also far ahead of laggards in dealing with critical data issues, such as integrity, reliability and accuracy; IoT’s impact on the workforce; its impact on a company’s brand and reputation; the potential impact of future laws and regulations; and AI bias, ethics and legal issues.
The specific actions that these executives — especially in the trailblazer companies — have taken to enhance security and privacy cover a wide range of areas. Half of all the survey respondents have built in security at the start of an IoT initiative, and close to half have trained employees on IoT security requirements (48 percent) or implemented policies specific to IoT security (47 percent). Only 2 percent have not taken any steps to increase IoT security.
When it comes to protecting employee and customer privacy, the top actions taken by these executives include implementing a data privacy policy (43 percent), enhancing security to prevent breaches of personal data (41 percent), and designing security and privacy into IoT products (41 percent). Only 1 percent have not taken any actions to deal with IoT privacy concerns.
A changing regulatory landscape
The surveyed executives are also concerned about IoT’s place in today’s ever-changing regulatory environment. The landscape changed dramatically in May 2018, when the European Union introduced the General Data Protection Regulation (GDPR), which demands data protection and privacy for all EU citizens, while also addressing the issue of transferring personal data outside the EU. Following GDPR, more than 80 countries have enacted privacy laws, and a growing number of US states have introduced privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA).
Regulatory challenges are particularly complex for companies that have an IoT system that houses data from different states or countries, especially if the data is stored in clouds based in different nations. Yet, the majority (56 percent) of the survey executives think privacy regulations such as the GDPR and the CCPA will have a positive impact on IoT deployments, while only 13 percent believe they will have a negative impact.
Almost half of the companies have already begun taking steps to respond to these and future privacy regulations. For example, 47 percent of the executives said they’re implementing new practices across their organization, 45 percent are engaging with regulators, 44 percent are changing privacy policies in their company, and 44 percent are working with others in their industry to address privacy issues.
Planning for the future
It’s clear that privacy, security and regulatory concerns are affecting internet of things deployments, but it’s equally clear that most organizations are not going to let these worries derail their IoT initiatives. They’re excited about the business opportunities IoT offers and are willing to take the actions required to allay the concerns of customers, employees, partners and regulators.
By responding proactively to security, privacy and regulatory challenges, these companies will build — virtual brick by virtual brick — trust in the IoT.
About the author: Jocelyn Aqua is a Principal with PwC US, based in Washington, DC, where she provides guidance to companies on the intersection of privacy, cybersecurity and regulatory risk. She is a former US government privacy officer with over 20 years of public and private sector data privacy and cybersecurity experience. Aqua advises global companies on data governance, data protection and data transfer strategies, and is a frequent lecturer at universities and national conferences on privacy law, data protection and cyber threat information sharing.
Edited by
Ken Briodagh
