The strength of the Internet of Things (IoT) is in creating a connected ecosystem of different suppliers, but partnerships cannot be afforded ignoring the potential risks.

During an event organized by IoTItaly, the Italian association on the Internet of Things, a very interesting presentation from Maurizio Griva of Reply (available here) mentioned that the leitmotiv of the last IoT week was

You can’t do I(o)T alone

Companies have now realized that

the Internet of Things is not just about creating sensors, technologies able to connect devices or a new type of box. But it is about creating an ecosystem i.e. going to companies doing business with the goal of creating value having in mind that the IoT can connect all such different components.

The strength of the Internet of Things is not in its single components, but in being able to make them part of a full solution and since no company can build every component of an IoT solution

the IoT requires partnerships!

IoT

This is why there are high expectations of revenues in the Internet of Things market for solution providers, integrators and telecom carriers. On the contrary, according to the data collected by CompTia, the platform providers have the lowest expectations of revenues.

And this is the major change of perspective for the IoT. Indeed, the approach so far has been to create a platform in order to have full control of Internet of Things environment. Such course of conduct has led to the creation of over 360 IoT platforms and over 100 protocols of communication between platforms which makes interoperabilities and therefore partnerships more difficult. There are technical solutions able to translate the language of different protocols of communication, but certainly this proliferation of protocols and platforms does not help.

But if the Internet of Things requires partnerships and partnerships need interoperabilities between systems/components of different suppliers and interoperabilities lead to communications of data between systems of diifferent suppliers

Does interoperability conflict with cybersecurity?

This is the issue that was raised in a number of discussions that I had on the topic. The system of a partner might be the backdoor access to an IoT environment which might jeopardize its cybersecurity and cannot be controlled by the other entities that are part of the same IoT ecosystem…

This might be an argument that could be difficult to fully share if we consider that according to a report 80% of the code in today’s applications comes from open source libraries and frameworks whose vulnerabilities are widely ignored.

The IoT needs policies and procedures

Why are companies ready to use open source software, while they are reluctant in partnering with third parties to create better Internet of Things solutions? It might be that the initial goal at least by very large companies was to ensure a full control of the whole “vertical” to create a position of dominance in the market. Such solution is now questioned by many operators and even the approach taken by some smart home suppliers has been to open their products to as many protocols as possible in order to find a “win-win solution“.

But if the opening to products of other suppliers is a “must have“, potential cyber risks cannot be underestimated. The sole solution is not to have a in place a cyber risk insurance policy. On the contrary, as already done in relation to the usage of open source software, it is necessary to have a policy in place to reduce the potential risk exposure. In particular, it is necessary to

  • have a cybersecurity policy for the testing and approval products of other suppliers that are integrated in a solution;
  • adopt a privacy by design approach with reference to not only the single component of an IoT ecosystem, but the whole solution that is then put in place and
  • put in place a cyber risk policy in order to immediately react to a cyber attack and minimize the potential negative effects.

Such policies and rules shall impose also obligations on the other suppliers that are part of the same solution in order to force them to adopt themselves internal policies and procedures aimed at minimizing potential cyber risks and data breaches as the vast majority of cyber attacks occur due to human errors.

As I mentioned in a previous post

Security is a business issue, not a technical issue

Security in a connected world cannot be considered anymore to be an issue to be dealt only by technicians. Security flaws might arise from the most unpredictable sources. Besides given that over 480 million cyber attacks occurred in 2015,

a cyber attack is not if but when

When a cyber attack takes place a company should be ready to

  • react to the cyber attack in order to minimize damages for its business and for the business of its customers and
  • prove to have done everything possible to avoid the cyber attack which is crucial to limit not only the potential reputational damages, but also the potential liabilities towards third parties and authorities especially now that the EU Privacy Regulations will introduce fines up to 4% of the global turnover of the breaching entity.

The Internet of Things needs partnerships, but partnerships need policies and procedures to avoid potential risks.

@GiulioCoraggio