In order to best reap the benefits of the myriad Internet-connected devices can offer, businesses need to better enhance security and protect consumers’ privacy.
Those were the not too-surprising chief observations coming from a report the Federal Trade Commission issued this week on the Internet of Things and its impact on businesses and consumers.
+More on Network World: FTC: IRS imposter complaints up more than 2,300% in 2014+
The Internet of Things universe is expanding quickly, and there are now over 25 billion connected devices in use worldwide, with that number set to rise significantly as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue to invest in connected devices, the FTC stated.
The report is partly based on input from leading technologists and academics, industry representatives, consumer advocates and others who participated in the FTC’s Internet of Things workshop held in Washington D.C. last year.
The sheer volume of data that even a small number of devices can generate is stunning: one participant in the workshop indicated that fewer than 10,000 households using the company’s IoT home-automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household, the report states.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez said in a statement. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The report includes the following recommendations for companies developing Internet of Things devices:
- Build security into devices at the outset, rather than as an afterthought in the design process
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.
- Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers.
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk. For example, companies should consider implementing reasonable
- Install access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network. In the IoT ecosystem, strong authentication could be used to permit or restrict IoT devices from interacting with other devices or systems.
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network.
- Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
- Consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
The FTC also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. The agency acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some Internet of Things devices may have no consumer interface.
Check out these other hot stories: