Consumers will benefit from the IoT but we must build trust in connected devices first.
Before the coronavirus pandemic, many of us had embraced connected technologies but few of us depended on them. When they were the only way to stay connected to our colleagues, customers, healthcare professionals, and loved ones they became more important in our lives.
Now, an increasing number of people are buying Internet of Things (IoT) products to enhance their wellbeing, their feeling of security or to optimize energy use and automate processes within their homes.
The Consumer IoT Market
While digital transformation offers many benefits to consumers it also puts them at risk. When we survey more than 1,200 technology decision-makers in our annual PSA Certified Security Report, we find year-on-year that the consumers are growing increasingly more concerned about security. This means that buyers of connected products are increasingly aware when it comes to protecting their devices and data.
Fortunately, the buyers of IoT products are increasingly aware when it comes to protecting their devices and data. Peter Stephens from the UK’s Department for Digital, Culture, Media & Sport (DCMS) explained in the first series of our Beyond the Now podcast: “… there is this narrative that consumers just don’t care about security,” he said. “We did quite a lot of studies into this … and consumers really do care … it’s one of the most important characteristics they look for.”
Our own research provides further evidence of this. Ninety percent of survey respondents said security had increased in importance in the past year. More than two-thirds (70%) thought people were actively choosing to buy connected devices that follow security best practice.
It’s no surprise that this year’s PSA Certified 2023 Security Report reinforces security as a top priority among businesses and consumers. Government regulatory efforts, such as the European Cyber Resilience Act (CRA), further highlight growing interest in this area as the broader technology ecosystem ensures that security credentials are well documented. The Renesas RA Family of Arm Cortex-M based microcontrollers already implements proven security technologies, including physical hardware security that appeals to a broad range of connected applications, while keeping independent certifications such as PSA Certified. We will continue to embed advanced security technologies into our future RA products, including our industry’s first implementation of Cortex-M85 with PSA Certified, so that more robust security measures can be easily adopted by the supply chain.
Ten years ago, some felt that security was too hard, too expensive, or too easy to get wrong. Today we have secure enclaves in chips and secure supply chains, and customers recognize how important security is. They want to build secure products, and it starts with the silicon. Our customers want to talk about security and building it into their products right from the start. Concern for security has shifted from a ‘push’ to a ‘pull.’
At Eurotech we do design and offer a wide range of IoT, edge computing and edge AI systems. Security of edge systems – hardware & software combined – has evolved in the recent year to the most relevant aspect in customer engagements in industrial, transportation as well as critical infrastructure scenarios. PSA Certified was a vital part of creating a successful and convincing edge security value proposition.
This highlights an opportunity for device makers that prioritize building-in product security and focus on consumer trust and confidence. However, several barriers must be overcome if we are to maximize the opportunities of the consumer IoT and improve people’s lives. So, what is standing in the way?
The Consumer Perspective of IoT Security
Many People Assume a Connected Home Product Is Secure Because It Is on Sale
Research conducted for DCMS highlights a common problem – people think a product is secure because it is on sale. Almost three-quarters (72%) of respondents to a survey about the labeling of IoT devices said they assume security has been built in ‘when the product comes to market’.
Unfortunately, there are many high-profile examples that demonstrate this is not always the case. That means buyers are relying on manufacturers and retailers to do the right thing and the trust they are placing in them could be eroded if they are the victim of a cyberattack.
Who Is Responsible for Securing IoT Devices?
Consumers may want peace of mind but who is responsible for providing it? A separate DCMS report into people’s attitudes towards device security, particularly since the coronavirus pandemic, suggests the whole ecosystem needs to work together to build people’s trust in the IoT. Eighty-four percent of the consumers surveyed believed companies in the supply chain should be responsible for checking and being aware of the cybersecurity features of a device before it goes on sale. Almost nine in 10 respondents (87%) thought smart devices should have basic security features built-in as a way of protecting people’s privacy and security.
So, what do technology decision-makers think? They also believe we all have a role in securing the IoT. More than half of consumer IoT survey respondents (58%) said individual companies should show initiative and protect consumers from vulnerabilities.
What Does a Secure Device Look Like?
How do consumers know what products have security built-in? Currently, there is no consistent information to inform their decision-making. While individual governments are coming up with some solutions, there is no agreed form of wording, rating system, or logo to point people in the direction of trustworthy products and this lack of clarity makes it hard for them to buy with confidence.
As an industry, we must get better at communicating with customers about security in a way that is easy to understand, and we’re proud that the PSA Certified ecosystem are taking proactive steps to do that.
Consumer IoT Security: The Business Perspective
Navigating Security Standards to Access Global Markets
In many regions, governments and standards organizations are stepping in to protect consumers from insecure products and to offer guidance to device makers on basic security requirements. However, meeting all standards, requirements, and regulations can be challenging, especially if a device maker ships products globally.
Security Is Complex, Requires Expertise and Is Time Consuming
All of this can also make security feel complex and time-consuming, particularly if companies do not have access to dedicated security specialists. Our yearly PSA Certified Security Report finds that companies are not completely satisfied with the level of security expertise and the World Economic Forum estimates that there is a gap of more than 3 million security experts worldwide. This exacerbates concerns that difficulties in implementing the right security for a device will increase time to market- something that is particularly true for smaller organizations.
The Cost Paradox
As more consumers value security an increasing number of technology leaders are also realizing its benefits. Respondents in our yearly survey tell us year-on-year that security positively affects their company’s bottom line.
It means the costs of insecurity are starting to outweigh the costs of investing in appropriate protection, and yet, our Security Report also shows the cost of implementing security is still one of the reasons many IoT product developers overlook it. Their challenges include the costs of security expertise and independent testing and certification.
Assuring Consumers Their Devices Are Secure
Even if security is a priority, many developers of IoT products realize consumers may not trust the claims they make about their products without third-party verification.
Independent verification also enables manufacturers to build their products on secure and trusted components.
Unlocking the Potential of the Consumer IoT Through Collective Action and a Common Language
To help device makers overcome the challenges of securing a connected device, a global partnership of security experts has developed the PSA Certified IoT security framework and independent certification scheme. The framework is designed to democratize security – it helps companies build their devices on industry best practice, comply with worldwide regulations, and leverage the expertise within the wider ecosystem. Importantly, it also makes securing an IoT device quicker, easier and more cost-effective and establishes a common language so we all understand what ‘best practice’ means in the context of the IoT.
However, this is just the first step toward realizing the potential of the consumer IoT. The most significant shift will be determined by our collective action. We all have a part to play in building people’s trust in our devices and the data they gather and establishing a firm foundation for our digital future.
A Partnership of Solutions
The PSA Certified partners are building the future of the IoT, creating innovative solutions that their customers can trust.
This blog covers two of the most prominent IoT security regulations emerging in Europe (CRA and RED), what they mean for you, and how you can prepare.
In this blog, we explore why cybersecurity is the primary concern for IoT devices this Cyber Monday and how to protect consumers with IoT security frameworks.
This blog examines how IoT devices can transform the in-store retail experience and the crucial role security plays in architecting this new reality.