In the last year we have seen the introduction of the first laws and regulations specifically aimed at IoT. Of course there have been numerous things that affected IoT from regulations on permanent roaming and rules on duty cycle for short range devices through to privacy legislation these are the first to really be focused on IoT. And perhaps it’s unsurprising that these IoT rules and regulations focus on security. It’s regularly quoted as the #1 challenge for enterprise IoT deployments and there have been regular troubling security breaches in consumer devices in the last few years from the relatively mundane Mirai botnet, which only threated to use the device for DDOS attacks, through to the downright terrifying Ring Santa Claus hack. Security as a failing was worth a section in The Internet of Things Myth, the book I published earlier this year.
In the recent Transforma Insights report ‘New IoT security regulations are toothless and limited in scope’ we dig into the detail of what has been recently announced in the UK, US, EU and elsewhere. The newly introduced rules are plugging a big and obvious gap and as a result they are welcome. However, it is hard to escape the conclusion that the rules don’t go far enough and therefore provide a false sense of security (literally). Furthermore many of the emerging rules are not legally binding and the penalties are limited.
It’s also worth noting that, as discussed in the blog post ‘Too much Trustworthiness’ , when you’re considering IoT security, you have to be aware of two things. Firstly that you can have too much of a good thing: Security is always a trade off with other factors such as profitability, churn, and time to market. Secondly you need to think not just about security, but about the wider concept of trustworthiness, which includes safety, reliability, resilience and privacy.
If this subject interests you, I will be speaking about the challenges of security in the context of product development on a forthcoming Consult Red webinar entitled 'Will your new IoT device break your business?' on the 15th July at 15.00 UK time.
