6 Lloyd's Avenue London EC3N 3AX
+44 (0)20 7680 3088
  • About Airmic

    Airmic is a members’ association supporting those responsible for risk management and insurance within their own companies. We have nearly 1200 individual members who represent over 450 companies.


Willis Towers Watson's Fredrik Motzfeldt discusses the risk implications of the potential 50bn internet-connect devices of the next decade


With 50 billion internet-connected devices expected to come online in the next decade, the security implications of the Internet of Things are dizzying. Organisations need to respond with sophisticated risk mitigation strategies embedded within their IT functions. Fredrik Motzfeldt of Willis Towers Watson gives an overview of the key risks.

In recent years, the proliferation of internet-connected devices - known as the Internet of Things (IoT) - is transforming lives and businesses. The trend for such devices is being driven by the mass expansion of wireless connectivity, inexpensive processing and ever-more sophisticated sensor solutions. Combined, these devices drive enhanced communication, automate complex industrial processes and even create new value propositions and business models by linking disparate systems of connected devices.

An internet-connectable device is any device that can connect to the internet directly and has a unique internet protocol (IP) address. They can range from basic sensor and telemetry devices to powerful computing devices with full operating systems. The benefits of this pervasive interconnectedness is almost beyond today's imagination: but for now companies are focusing on the advantages derived from being able to better manage global operations across multiple locations, as well as improve operational efficiencies, and link customers more closely with their vital supply chain partners.

However, just as the opportunities are huge, so are the potential risks associated with an ever-increasing reliance on interconnected, web-enabled technology. With 50 billion IP-connected devices expected to come online by 2025, the security implications and potential vulnerabilities are enormous. It is increasingly important that organisations embed sophisticated risk mitigation strategies within their IT functions. Already, we are starting to see much closer cooperation and integration between corporates' risk and IT functions. This is in a response to - and demanded by - increasing board focus on the need to manage an organisation's rapidly-expanding IT vulnerabilities.

The Risks of IoT

Risks from IoT exist at multiple layers, from the actual endpoint devices (such as smartwatches, connected cars and connected industrial sensors) all the way to the cloud where data is stored. As a result, ensuring secure IoT solutions must take an end-to-end approach to system design, implementation and installation.

In the cloud

Much of the magic of IoT is the ability to store mega-volumes of historical data in the cloud, and to make smarter decisions by analyzing and learning from this real-time data being gathered by sensors and other network edge endpoints. Increasingly, advanced analytics will need to be applied to convert all of this "machine data" in the cloud into valuable information.

The cloud/data center will therefore be a major point of vulnerability, and raises the stakes for both data-center security operations and data in transit between endpoints to the cloud. To combat these vulnerabilities, data centers should aggressively monitor network traffic for potential attacks and data centers (and those of their third-party providers) must be equipped to eliminate evolving security vulnerabilities.

Are your devices secure?

The connected devices themselves also pose a security risk. In order to lock down security at the device level, semiconductor vendors are looking to create a secure foundation of trust that ensures high levels of security during key times of vulnerability, including at boot-up and also while communicating with other devices and the cloud. Hardware roots of trust, which embed authentication and encryption to ensure security, are able to provide a high level of security at the endpoint.

A number of silicon vendors have recently made strategic acquisitions to enhance their security credentials and to enable software developers to establish high levels of security in their IoT applications. In many cases, chip vendors are beginning to recognise security not just as a core competency but also as one of the fundamental drivers of value within the IoT ecosystem.


As the IoT has moved beyond cellular - in other words internet connectivity via 3G and 4G - it has introduced a number of new wireline and wireless technologies, each with their own set of security vulnerabilities. For instance, in the connected car, embedding cellular along with other wireless technologies such as Bluetooth and WiFi, creates thousands of new points of vulnerability which could potentially be exploited by hackers to gain access and control sensitive vehicle systems. Indeed, in a study funded by the U.S. Department of Defense's Advanced Research Projects Agency (DARPA), researchers were able to use a laptop to access a vehicle and control its engine, brakes, steering and other critical components.

Competitive advantage

While these are just a few examples of some key areas of vulnerability in IoT, the truth is that the security challenges from IoT deployment exist at every point in the IoT network. Accordingly, enterprises should adopt a multi-layered approach to IoT security. In particular, they should:

·         Ensure proper firewalling of networks;

·         Employ aggressive monitoring of third-party developers to ensure use of proper security procedures;

·         In some cases, put in places measures to physically prevent theft or tampering of IoT modules or devices.

Additionally, in many security breaches there proves to be a human element. Employees must be given training on proper security measures and how to recognise scams in which malicious actors are inadvertently allowed access to internal corporate networks.

The reward for proactive preparation is not just a more resilient organisation, but a competitive advantage. Ultimately, the nature and level of sophistication will continue to evolve along with the evolution of IoT applications. It is unrealistic to expect elimination of all IoT security breaches, but enterprises will need to maintain a high level of vigilance and implement robust threat-monitoring procedures to ensure the highest level of security possible.