3 ways IoT security concerns are taken out of context
- 11 April, 2016 21:18
This Saturday was like most every other day for me. I opened my RSS Internet of Things (IoT) news feed and there were three more articles telling me that consumers don’t trust IoT security. IoT security alerts have been so frequent and regular for so long now that just like a “check engine light” in an old car I am beginning to ignore them. Recently I have seen a slight pivot in the stream of warnings in the form of survey data: Data is good. More than once I have heard “In God we trust” all others bring data. But data requires analysis so let’s look at a few recent figures:
- 52 percent of consumers believe that these products [IoT] do not have the necessary security in place
- Effect of the IoT on security is a concern of 70 percent of US users
- Globally, 60 percent of consumers are worried about the [security and privacy of the] new technology [IoT]
- 90 percent of developers don’t believe IoT applications have necessary security
- 80 percent of consumers don’t know what IoT is, or care about IoT things.
Wait a minute. 80 percent of consumers don’t know what IoT is or even care? How can 70 percent be concerned about IoT security when four out of five don’t know what it is? Are you familiar with the 1936 “Landon beats Roosevelt in a landslide” prediction? Something isn’t right here.
Consumer security concerns are being taken out of context. Indeed, it appears that the respondents to these surveys don’t even have an IoT context. But it’s not surprising that people are concerned about something they don’t understand when prompted with the words “security” and “privacy.”
Look again at the survey that found that 52 percent of respondents don’t believe IoT has the necessary security. The same survey found that 49 percent don’t trust IoT devices with their data – but still use them. Let’s break this down. First, we must be talking to the 20 percent of people who know what IoT devices are. Half of those people don’t trust their devices but keep using them. But the other half apparently trusts the devices and also keeps using them. So apparently all of the respondents who are using IoT devices have made a risk-to-benefit tradeoff that says “the security and privacy of this device is adequate for my use!”
Honeywell has been selling wireless thermostats for 15 years and together with new players like Nest, who has had more than their share of privacy problems, they have provided over ten million customers with remote access solutions in the last five years. Security always requires context. Security is never perfect. Security risk is a choice that is made for any connected offering purchase. Some require more assurance than others, but the choice is always one of what is appropriate for the application and appropriate for the individual.
Here is the problem. This focus on consumer anxiety about IoT security in the context of adoption is completely distracting us from the real problem – creating value by solving problems that matter. Consumers don’t buy IoT – they buy solutions to problems. They don’t buy privacy or security just like they don’t buy quality. They pay for quality and will pay for security and privacy; but always at a level they deem appropriate and always as part of a purchasing decision for the solution to a problem. If I buy a cheap cordless drill I do not expect it to last as long or run as smoothly as if I buy the top of the line model. But either tool will drill holes for me – that is why I make the purchase.
So if you are accountable to deliver, develop, or manage an IoT offering consider these three contextual facts:
Customers don’t buy security
Customers buy solutions to problems. They don’t buy security, privacy, or even IoT. First and foremost focus your team on solving problems that matter to users. Make sure that your team has design thinkers who are accountable to users and user experience. IoT may be a key technology or may enable a completely new business model for your company, but your customer doesn’t care. They pay for solutions to their problems, not for technology. Once you have the solution you will have a reason to consider the security of your IoT offering.
Security is relative
Customers will pay for security – appropriate security at an appropriate price. They will judge the level of security and privacy you offer against that of your competitors and against their level of need. The survey revealed that 49 percent of consumers are using imperfect products if the value of the use exceeds the risk to their privacy. Find that sweet spot where in the cost of the security you integrate is appropriate for the application solution you deliver.
Appropriate security solutions exist
Sales data and consumer surveys alike show that appropriate security solutions exist for numerous IoT applications. But the news reports and professional analysis also show that security has not been made sufficient on other products. Appropriate security technology exists but diligence and good process are required to make solutions that work.
There is no question that security is and will continue to be a critical requirement for IoT solutions. As IoT solutions proliferate and extend across markets in many applications security and privacy will have to be included -- at the appropriate level.
The thing about “Check engine” lights is they stay on until you take action. Sometimes you can drive on for months but sometimes they are indicative of a pending critical failure. Customer concern with security is not the root cause for most of those struggling with IoT monetization success today. But action in the form of a more diligent focus on value can turn the light off.