It may seem humorous to compare a vacuum cleaner to precious jewels when it comes to security, but the concept (namely, prioritization) is at the core of keeping your IoT operations safe. IoT systems are so complex and different from one another that it becomes cost prohibitive to have standardized security protocols across every application. In fact, such protocols would be overkill for a lot of solutions. (Keep in mind that protocols, as defined in this blog, are different than best practices.)
Let’s examine the vacuum cleaner versus jewels scenario. Everyone wants their home and its contents to be safe from thieves. But few people would spend the same amount of money securing a vacuum cleaner as they would their jewel collection. Likewise, with other items in the house, there is a priority status given to each one. Documents containing a social security number might be stored in a safe, whereas all other documents simply are kept in a drawer, as an example.
The same prioritization principles apply to IoT security initiatives. For example, it would be logical to spend more money and effort ensuring a water supply is safe and less on an earthquake sensor. The key is to design IoT security solutions in the context of your niche. The infographic below is a good general reference when deciding how much investment and resources are needed to ‘feel secure’.
Unfortunately, there also are a lot of grey areas as implementations aren’t always straightforward. One of the greatest promises of IoT is that it will enable companies to do a lot more for a lot less investment, similar to what the cloud has done with enterprise operations. Trouble is if, as a service provider, you spend significant monies on security, you risk becoming uncompetitive. Equally disconcerting is if you fail to invest in security, you risk a serious breach that could, potentially, end your business altogether.
You must balance security objectives based on your business model and target industry, and then mitigate any and all trade-offs as best as possible. The graphic below demonstrates that even if you are open to unlimited investment in security, you still must endure more complexity and a much longer time to market, as there are no perfect answers.
You need to set realistic expectations when delivering solutions, including the potential security risks involved. IoT-enabled solutions are integral to any company’s operations, but if the underlying internal infrastructure is unsecure, you then put your solutions at risk no matter how many precautions are taken.