The Internet of Things

The Internet of Things

The Internet of Things (IOT) is a phenomenon that is changing the way businesses and consumers interact.  IBM describes the IOT as a “force of animation.”[1] That is, the IOT is connecting seemingly inanimate objects to the internet to collect and communicate data with other devices.  For example, a refrigerator, a seemingly inanimate object that stores and keeps food cold would, when upgraded to include a few sensors and a computing device, become a smart refrigerator that can communicate data about your diet to your doctor, update your grocery list, and notify your warranty servicer of needed repairs.  These Consumer Devices can connect and transmit data directly to businesses, which in theory would result in improved services and reduced costs to businesses and consumers alike.

There are over 25 billion connected devices in the market and the industry is expected to double in the next four years bringing that number to 50 billion connected devices.[2]  The potential advantages of the IOT phenomenon to businesses and consumers are readily evident; however, a closer look at the IOT will show that there are potential risks to businesses and their consumers if security implications are not assessed and managed appropriately.

Clearly there are advantages to the IOT phenomenon, but undoubtedly there are important risks that businesses must assess and manage sufficiently so as to mitigate the impacts on the businesses themselves and their customers.  Businesses should be proactive in their approach to addressing these risks and take the necessary steps to reasonably secure the data they are receiving, storing, and transmitting.  Below are some steps proactive businesses can take to secure their data reception, storage, and transmission processes.

  • Know and limit what data your business is receiving and storing. A recent survey by Veritas found that 52% of the data stored by businesses is dark data, or data with unknown value.[3]  This is an unnecessary risk for businesses.  If a business does not know the data they are storing they might not know how to properly secure the data.  Also, data thieves are more likely to attack a company with large amounts of data.  Proactive businesses should find out what data they are collecting and then, only keep what is necessary for business and regulatory purposes.
  • Restrict employees’ access to data. The old standard of a need to know basis is especially important here, employees should only be allowed access to data that is required for them to carry out their job duties.  Proactive businesses should restrict access to any other data and use industry standards to encrypt standing data in case inadvertent access is achieved by employees.  This would not only help prevent data loss, but it would also assure employees are not using data in ways that are against company policy or that consumers would find unreasonable.[4]
  • Systematically require employees to use unique and strong passwords that are properly secured. In addition to social engineering, hackers have been known to enter systems by using programs that repeat different combinations of characters until a combination finds a match thereby giving them access to the system.  By providing training and ongoing reminders to employees of the importance of system security, systematically requiring employees use complex passwords, having lockout and password change frequency policies configured in the system, and encrypting password files, companies can go a long way in minimizing the likelihood that hackers gain access to their system.
  • Secure data transmission. Most likely, IOT data will be transmitted from the consumers’ devices to companies’ networks through online services.  It is possible for data thieves to steal the data during transmission if the data is not encrypted and security measures are not properly configured.  In a complaint brought by the FTC against Credit Karma and Fandago, the FTC charged that the companies failed to properly configure the Secure Socket Layer (SSL) Certification on their mobile apps.[5]  This allowed hackers to capture users’ personal information when they accessed the mobile apps to get their credit scores by posing as Credit Karma or Fandago online service using fake SSL Certification.[6]  Users would unknowingly send their personal information to hackers posing as Credit Karma and Fandago.  Proactive businesses should use industry standards to encrypt data during transmission and implement and monitor strict configuration standards.
  • Vet service providers/vendors to verify they have security measures in place to properly secure data. If your business uses a third party service and they will have access to your consumers’ personal data, insist in writing the company take appropriate steps to protect the data and then verify compliance.

The IOT is poised to continue to grow. The advantages to businesses and consumers are readily evident and the risks, if managed appropriately, can be mitigated such that the significant potential benefits of this phenomenon does not get derailed by security concerns.


[1] Behan, Anthony, No really, what is the Internet of Things?,  Internet of Things Blog (Sept. 20, 2016), https://www.ibm.com/blogs/internet-of-things/what-is-the-internet-of-things/  (last visited Sept. 26, 2016).

[2] Federal Trade Commission, Internet of Things: Privacy & Security in a Connected World 1 (Jan. 2015) [hereinafter FTC Staff Report}, https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf .

[3] The Databurg Report: See What Others Don’t, Identify the Value, Risk, and Cost of Your Data 3 (Mar. 15, 2016) https://www.veritas.com/content/dam/Veritas/docs/reports/veritas-strike-global-report_a4-sdc2.pdf.

[4] FTC Staff Report at IV https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

[5] Fair, Leslie, Default lines: How the FTC says Credit Karma and Fandango SSLighted Security Systems, Business Blog (Mar. 28, 2014), https://www.ftc.gov/news-events/blogs/business-blog/2014/03/default-lines-how-ftc-says-credit-karma-fandango-sslighted (last visited Sept. 27, 2016).

[6] Id.

Written by 

Dean Brown is a seasoned business professional with 20 years of audit experience. Dean specializes in System and Organization Controls (SOC) audits, which he has been conducting as the principal auditor since 2014. Dean has also conducted numerous controls, IT, operations, compliance and forensic audits over the duration of his career. His experience involves financial, IT, SOC (SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity), operations and compliance audits, examinations, review and consulting engagements. Dean is a subject matter expert in SSAE18/SOC 1, SOC 2 audits, ISO 27001, enterprise risk management, internal controls, information security management systems, and IT governance models. Dean began his career as an auditor at a Big 4 public accounting firm where he audited multiple fortune 500 companies. Later in his role as a lead auditor at a fortune 500 company he managed teams in the United States and Canada and was instrumental in the management and successful completion of a company-wide project that successfully transition the company to a new operating business model. Dean is responsible for crafting, communicating, and reinforcing CompVisory’s vision and mission, and empowering the CompVisory team with the guidance and resources necessary for their achievement.