IoT security - could telcos hold the key?
Security is vital for IoT
Although estimates of the number of IoT devices there will be in the future vary, there is a consensus that it will be in the billions by 2020. These devices will be present in our homes, making everyday life more convenient, and across critical infrastructure making cities, hospitals and industries more efficient.
Although this future vision is attractive, it is not without risk; IoT devices could be compromised by hackers, who may want to steal personal data, or even take remote control of connected devices. Recent examples of connected cars being hacked, or the notorious security breach of Ukraine's power grid in December 2016, highlight the severity of the risk, and deter both consumers and enterprises from adopting IoT. Therefore, for the IoT to reach its potential and scale, improving security should be a top priority.
But with numerous companies offering IoT security, from chipmakers to security consultants, using different approaches, two key questions arise: How can the issue of IoT security be solved as efficiently as possible to accelerate industry growth, and who should be leading the charge?
But practices vary
At MWC this year we spoke to a wide variety of IoT market players, and although everyone agreed that better security is essential for growth, people are approaching the problem in different ways. For example, Rohde and Schwartz demonstrated a mobile radio tester that checks whether data sent by IoT devices is encrypted, and Ericsson displayed a trial IoT security portal which identifies data theft threats.
Meanwhile, PwC recently expanded its cybersecurity consulting service in the US, working with a range of IoT providers to promote the 'security by design' concept. 'Security by design' is the idea that security should be considered from conception of a device idea, and should be implemented from the beginning, and throughout, its design process.
In addition to differences between individual companies' IoT security practices, there are also geographical differences to consider. For IoT use-cases like autonomous vehicles and asset-tracking to work globally IoT security systems need to be interoperable across jurisdictions and geographic boundaries. There is currently a flurry of activity around this area, with different countries and organisations releasing their own guidelines and proposing IoT standards, but these need to be unified to avoid hindering innovation and industry growth.
Who should lead IoT security development?
There is hesitance to place sole responsibility for IoT security and standards development on any one organisation or industry. In truth, since governments, manufacturers, telcos, consumers and the wider industry are all involved in the life cycle and landscape of IoT, there is shared responsibility. The challenge is that this dilutes accountability, and one area of agreement we heard at MWC about how to improve security in such a fragmented market was the need to implement security by design, rather than retrospectively.
Implementing security measures retrospectively is not only more expensive in financial terms, it can also damage your company's reputation and take a long time to recover from. Instead, security should be incorporated during the design process, which requires a significant change in mind-set and incentivising different stakeholders in the production chain to implement security by design.
For instance, players lower down in the supply chain of IoT devices and connectivity have less incentive to prioritise security by design, either because business models do not prioritise security, or, because as relatively unknown names among consumers, they are less exposed to the consequences of a security breach. In this context, stronger agreement on best practices and standards would help to encourage a more secure IoT ecosystem, with security a priority in the design process.
What's in this for telcos?
There are several ways in which telcos could play a key role in IoT security.
First, large, multi-national telcos experimenting in IoT who have the financial resources and capacity to implement the 'secure by design' concept can lead the way and influence their partners to also adopt these practices. Engaging with the developer community through hackathons has become popular practice to boost IoT innovation - telcos could host such activities and at the same time encourage these IoT start-ups to see security as the cornerstone of IoT growth.
Secondly, with their experience of developing global, interoperable technology and communications standards, telcos could play an important role in helping standardise IoT security, which would encourage the growth of the entire industry. Fears over data privacy and security are key barriers in IoT adoption, especially in consumer areas such as the smart home.
Related to this, there is an opportunity for telcos to establish themselves as "trust brokers" within the IoT ecosystem - something that we will explore more in an up-coming report. Accenture's 2015 Digital Consumer Survey showed that telcos are considered amongst the most trusted companies regarding customer data privacy. Of course, telcos must ensure they prioritise IoT security and privacy to maintain trust in their brands, but they can also leverage this reputation to develop and sell security products and, in some cases, security consulting services for their IoT customers and partners.
In short, without appropriate, interoperable IoT security, the global IoT market will not reach its full potential. Telcos not only enjoy a position of trust when it comes to handling customer data, they also have the international experience and influence to lead the market in implementing 'security by design' in the IoT ecosystem, which would help them secure a pivotal role in this competitive market. However, the importance of IoT security is widely recognised, so telcos need to be prepared to move fast to avoid losing out to competitors in this area.