As manufacturers race toward IoT to drive new recurring revenue streams and facilitate predictive maintenance of physical machinery, cybersecurity concerns abound. Whether it’s for industrial IoT (IIoT)-enabled machines, medical devices with newly enhanced connectivity features, or for IoT-native sensors and gateways, opening up a device to the internet adds a whole new dimension of risk to products.
As a result, connected product manufacturers (CPMs) are under new expectations from the market to address security concerns over the entire lifetime of the product. CPMs must elevate their security concerns from simply designing products that are safe to ship to actively helping to address and maintain security for as long as that device remains in service.
Customers are now demanding that connected product manufacturers address security for the lifetime of the product. More advanced CISOs at large organizations are taking a more disciplined approach to third-party risk management requiring their vendor management organizations to put pressure on their connected product vendors to address vulnerabilities as they’re discovered. This is forcing CPMs to create action plans to remediate poor security posture or risk the customer halting purchases, returning devices, or turning off connectivity.
Even without direct pressure from large customers, manufacturers have a vested interest in helping all of their customers securely deploy IoT devices. This is because if an enterprise experiences an ugly public breach due to the exploitation of a vulnerable IoT deployment, chances are high that the manufacturer’s name will be dragged into the headlines regarding the incident. Even if the incident is caused by the customer’s poor security configuration of the product, at the end of the day such an incident will reflect poorly on the brand.
Promoting security features and functionalities can give a big boost to a connected product by encouraging customers otherwise leery of turning on connectivity. According to a recent Bain & Company study, enterprise customers would pay on average 22% more for secure IoT devices and buy an average of 70% more IoT devices if they knew they were secure.
Added security can open up brand new revenue streams.
“IoT device vendors and ecosystem players that move to improve the security around IoT devices are likely to reap rewards not only from their ability to earn a premium but also from an expanded market,” explained the Bain study.
With the right security features and ongoing monitoring capabilities, leading CPMs are beginning to offer security services as add-on packages to other connectivity-enabled service packages.
New compliance and regulatory requirements are mounting and will force IoT manufacturers to take a greater share of the responsibility in ensuring that connected products are not only designed but also deployed securely. An early sign of this is the recent enactment of Califonia’s IoT security law, which requires manufactures to equip devices with ‘reasonable security features’.
All of this means that manufacturers of connected devices will need to find a way to keep tabs on the security posture of deployed devices so that both they and their customers can address issues like vulnerabilities in the code and configuration problems in the environment that open them up to attack. This will require not only a complete inventory and assessment of all deployed devices, but also cross-disciplinary visibility for product/service teams, security, and developers at the manufacturer’s organization in order to ensure the ongoing security of their connected products.