In 2018 the Internet Society launched the Trust by Design campaign, to make sure that security and privacy features are built into Internet of Things (IoT) products. We focused our activities on consumer IoT, a segment particularly vulnerable, despite having the biggest share in the IoT market. We believe trust should come as standard, and so we’ve been working with manufacturers and suppliers to make sure privacy and security are included in the initial design phase all the way through the product lifecycle, as outlined in the OTA IoT Trust Framework. Our work does not stop there, as this goal can only be achieved when consumers drive demand for security and privacy capabilities as a market differentiator and policymakers create a policy environment that strengthens trust and enables innovation.
Consumer IoT devices and services without adequate security pose a wide range of risks, from directly threatening the security, privacy, and safety of their owners to the devices themselves turning into botnets that can initiate DDoS attacks against the Internet. As more and more connected devices with weak security are rushed to the market due to competition and cost concerns, missing trust is deeply rooted in economics. To better understand the economic aspects of consumer IoT security, we commissioned an independent study conducted by Plum Consulting that we are pleased to share with you.
“The economics of the security of consumer-grade IoT products and services” looks at the consumer IoT market and the current state of security (or lack thereof) and points out the main economic obstacles to better security. Consumers often do not have enough information to identify products with weak security. This results in investment in security not being seen as a competitive differentiator for manufacturers. Additionally, since the cost of security breaches are borne by the device owner or third parties rather than the manufacturer, there is little incentive for manufacturers to invest in security. Finally, effective security by design requires specialized skills, can slow down the process, and can cost extra. Because of these factors, combined with cognitive biases of consumers, manufacturers tend to prioritize reducing cost and quickly sending IoT products to market.
But everyone, from consumers to policymakers, can take steps to incentivize manufacturers and shift demand in the market for strong IoT security. These vary by cost and difficulty and come with pros and cons of their own. The report provides a taxonomy and comes up with recommendations for the industry and policymakers to improve consumer IoT security, including prioritizing consumer guidance, leveraging public procurement procedures for products with strong security, encouraging responsible vulnerability disclosures, developing a trustmark for secure consumer IoT devices, prosecuting misleading claims on security, and prescribing a general set of security principles. Mandated security requirements through regulation is considered a last resort, and only if all other initiatives fail to improve security in the consumer IoT market.
Improving consumer IoT security calls for action from a diverse group of stakeholders and their actions complement each other. The complex IoT ecosystem is only as strong as its weakest link – and a collaborative approach to security is essential for success. It is only by working together that we can make a more secure consumer IoT. The economics say so, too.