Mitigating privacy risks in the Internet of Things
As the Internet of Things (IoT) becomes increasingly ubiquitous, organisations from all industries are beginning to explore ways to develop and utilise their own IoT network or service offering. In his new book, Internet of Things, for Things, and by Things, author Abhik Chaudhuri explains how this can be done effectively and safely, while mitigating the privacy risks inherent in dealing with large amounts of end users’ personally identifiable information.
IoT devices have the potential to collect detailed personal data and communicate with each other. This data can then be aggregated and analysed to extract information about people’s traits, habits, welfare and movements. As IoT networks grow, Chaudhuri argues that lack of consumer awareness or curiosity about privacy settings could lead to abuse of their data, leading to a breakdown of trust in the technology and ultimately reducing its potential for a positive impact on society.
With privacy concerns one of the most fundamental risks to organisations adopting this emerging technology, Chaudhuri advocates seven principles of IoT privacy by design that he says should be built in at the earliest stages of developing IoT devices.
Built in privacy enhancement
In order to anticipate and prevent data compromise, Chaudhuri believes that IoT devices and smart services should have privacy-enhancing capabilities already built in at the ideation and development phase. This preparation reduces the risk of companies being forced to respond reactively to privacy breaches, which, as the Facebook and Equifax scandals have recently proved, cause significant distrust amongst users.
User data should be protected by default in any IoT device and smart service, with responsibility and accountability for protection resting with the device manufacturer. This builds wider trust among users and greater adoption of IoT offerings.
The staggering number of IoT devices and their prevalence worldwide means privacy breaches can come in any number of different guises. Chaudhuri’s answer is to identify sensitive data components early and embed privacy-enhancing features to ensure the devices comply with privacy requirements without affecting core functionality.
Full functionality with maximum security
Another of Chaudhuri’s principles is that every stakeholder in an end-to-end IoT service should be enabled to provide full functionality without sacrificing privacy, security or safety. He proposes that to prevent it being used for malicious purposes, any contextual data collected should be preserved with the appropriate security and privacy measures throughout the entire data lifecycle and then completely destroyed.
Chaudhuri recommends allowing all stakeholders to independently verify IoT operations, explaining that this provides visibility and assurance that the functions are operating according to their stated objectives. He concludes that the requirements of end users should be central to the design of any IoT device or service, with privacy being a major requirement.
Learning from mistakes
With the vast array of opportunities afforded by IoT technology, Chaudhuri believes that organisations must learn from past mistakes and consider security and privacy requirements at the earliest stage. The penalty for ignoring those lessons is one that businesses will pay in reputation, trust and cost.
The Institute of Risk Management (IRM) is the world’s leading enterprise-wide risk education Institute. We are independent, well-respected advocates of the risk profession, owned by practising risk professionals. IRM passionately believes in the importance of risk management and that investment in education and continuing professional development leads to more effective risk management.
We provide qualifications, short courses and events at a range of levels from introductory to expert. IRM supports risk professionals by providing the skills and tools needed to put theory into practice in order to deal with the demands of a constantly changing, sophisticated and challenging business environment. We operate internationally, with members and students in over 90 countries, drawn from a variety of risk-related disciplines and a wide range of industries.
As a not-for-profit organisation, IRM reinvests any surplus from its activities in the development of international qualifications, membership, short courses and events.
- 18 Jul 2019
- 24 Jun 2019
- 18 Feb 2019
- 11 Feb 2019
- 21 Jan 2019
- 16 Jan 2019
- 13 Dec 2018
- 10 Dec 2018
- 3 Dec 2018
- 28 Nov 2018