In 2018 the Internet Society launched the Trust by Design campaign, to make sure that security and privacy features are built into Internet of Things (IoT) products. We focused our activities on consumer IoT, a segment particularly vulnerable, despite having the biggest share in the IoT market. We believe trust should come as standard, and so we’ve been working with manufacturers and suppliers to make sure privacy and security are included in the initial design phase all the way through the product lifecycle, as outlined in the OTA IoT Trust Framework. Our work does not stop there, as this goal can only be achieved when consumers drive demand for security and privacy capabilities as a market differentiator and policymakers create a policy environment that strengthens trust and enables innovation.
Consumer IoT devices and services without
adequate security pose a wide range of risks, from directly threatening the
security, privacy, and safety of their owners to the devices themselves turning
into botnets that can initiate DDoS attacks against the Internet. As more
and more connected devices with weak security are rushed to the market due to
competition and cost concerns, missing trust is deeply rooted in economics. To
better understand the economic aspects of consumer IoT security, we
commissioned an independent study conducted by Plum Consulting that we are
pleased to share with you.
“The economics of the security of consumer-grade IoT products and services” looks at the consumer IoT market and the current state of security (or lack thereof) and points out the main economic obstacles to better security. Consumers often do not have enough information to identify products with weak security. This results in investment in security not being seen as a competitive differentiator for manufacturers. Additionally, since the cost of security breaches are borne by the device owner or third parties rather than the manufacturer, there is little incentive for manufacturers to invest in security. Finally, effective security by design requires specialized skills, can slow down the process, and can cost extra. Because of these factors, combined with cognitive biases of consumers, manufacturers tend to prioritize reducing cost and quickly sending IoT products to market.
But everyone, from consumers to policymakers,
can take steps to incentivize manufacturers and shift demand in the market for
strong IoT security. These vary by cost and difficulty and come with pros and
cons of their own. The report provides a taxonomy and comes up with
recommendations for the industry and policymakers to improve consumer IoT
security, including prioritizing consumer guidance, leveraging public
procurement procedures for products with strong security, encouraging
responsible vulnerability disclosures, developing a trustmark for secure
consumer IoT devices, prosecuting misleading claims on security, and
prescribing a general set of security principles. Mandated security requirements
through regulation is considered a last resort, and only if all other
initiatives fail to improve security in the consumer IoT market.
Improving consumer IoT security calls for action from a diverse group of stakeholders and their actions complement each other. The complex IoT ecosystem is only as strong as its weakest link – and a collaborative approach to security is essential for success. It is only by working together that we can make a more secure consumer IoT. The economics say so, too.
The post The Economics of Trust: Overcoming Obstacles to Better Consumer IoT Security appeared first on Internet Society.