The Internet of Things (IoT) is the phenomenon of computer chips and sensors being embedded in everyday physical objects that connect them to each other and the Internet. It’s transforming the world, with service providers rolling out IoT networks around the globe. However, how secure are these sort of networks? While they may be technically robust, the weak link in any information system from a security perspective is often the human element. The biggest security risk of IoT is exactly that – it results in lots of new devices that mediate communications between people, be they mobile phones, wearables or retail and industrial devices. This introduces many more vulnerabilities for fraud, phishing and other social engineering attacks. Legislators are imposing information security requirements that apply to IoT indirectly, but are they enough to prevent incidents?

Information security requirements for the Internet of Things

Most general data protection laws around the world (such as the GDPR in the EU, DPA in the UK or POPIA in South Africa) have an umbrella information security requirement obliging anyone who processes the personal data of data subjects to implement commensurate technical and organisational measures proportional to many factors to protect it from unauthorised access. Businesses need to identify the risks to the personal data, identify potential safeguards, actually create those safeguards, check that they’re working on an ongoing basis, and update them as necessary to satisfy this requirement.

Data protection laws also generally require those responsible for processing personal data to consider prevailing information security practices and procedures that apply to their industry specifically or in terms of their professional rules and regulations. This obliges businesses to comply with more stringent information security obligations in specific industries where data subjects commonly use IoT devices, such as:

  • banking – where banks increasingly rely on mobile phones, NFC cards and biometric readers as part of their payment systems; and
  • healthcare – where many modern hospitals use IoT patient cardiac, respiratory or other monitoring devices.

Data protection laws don’t do enough

Peoples’ mistakes have long plagued information security in the global business landscape, with human error (at least in part) causing many data breaches, leaks and other incidents in recent years. IoT amplifies the existing risk of operational information security, such as what humans do when faced with social engineering attacks, by creating lots of new devices that cybercriminals can exploit to manipulate people. While there is often a general information security requirement and are generally industry specific information security requirements in place, none of them deal with IoT directly enough to address the rising threat.

Need help with information security and the Internet of Things?

If you need help with information security and the Internet of Things, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.