While a single piece of data from a connected device may have little worth on its own, when taken in aggregate, it can be a goldmine of corporate and personal data.
Data can be used in many ways—to increase manufacturing efficiency, control the lights and temperature in an office building or make a personalized offer as a shopper walks into a store.
But at the same time, thieves can steal people’s health data to commit insurance fraud. Streetlights can be dimmed to provide cover for a crime. Big data from IoT can be used for mass surveillance to track what people do in their homes and at work, or sold without the individual’s permission.
Here are some best practices to consider when establishing data privacy and security policies for your IoT deployment.
- Assess the risks for IoT data security and privacy. Understand what types of data will be collected by connected devices, applications and cloud systems. If the data includes personally identifiable information, the data must be encrypted or stored in an anonymous form. Define how the data will be used within your organization and how your business partners can access and/or use the data. Examine your data collection practices to impose reasonable limits on collection and retention of customer or sensitive data.
- Inform customers about data use. Misusing or abusing collected data will tarnish a company’s brand and erode customer confidence. Provide customers with the ability to make informed choices about how their data will be used and disclosed, especially in consumer markets.
- Assess the risk of data loss or theft. Consider what happens when a device is compromised, lost or stolen. A smartphone with a mobile health app has far greater risk than an environmental sensor if the device is lost or stolen. How will the data be restored? If with a public cloud provider, do your due diligence to determine the security measures in place to protect your data. If the device is lost or stolen, will it create serious risk? Define your incident response plan.
- Securely onboard connected devices. Attackers know that connected devices are the weak link in the IoT chain. Control network access for all of your endpoints, whether IoT or traditional devices. Use automated onboarding techniques to reduce deployment time and avoid the complexities of existing authentication methods.
- Assess the security of mobile and web applications. When people interact with an IoT system, it’s often through a mobile app or web interface. Make sure the software was designed and built securely and is not vulnerable to attacks like cross-site scripting or SQL injection.
- Continuously monitor connected devices for unusual activity. You need the ability to discover every network-connected device in real time, gain visibility into what the devices are doing and where they are located, and use their behavior to control their access to the network. If a device starts to behave suspiciously, such as accessing a port it has never accessed before, then it should be automatically quarantined or blocked from network access.
- Determine which regulations and laws apply. Most countries don’t have laws that specifically cover IoT privacy, but general privacy laws still apply. If you are in a highly regulated industry, such as healthcare, finance or energy, make sure that your IoT business practices meet your specific regulatory requirements. And keep in mind that while the regulatory climate in the U.S. is changing, which could directly impact future regulations for connected vehicles, medical devices and other IoT systems, maintaining data security and privacy is in the best interest of your brand.
Download the eBook Using Secure IoT to Drive Business Growth to explore the potential of IoT in the enterprise, which industries are paving the way, and how to secure your connected things.
Source: Great Bay Software