Internet of Things and the Need for Risk Management and Compliance


The Internet of Things (IoT) is still evolving. Therefore it is critical for businesses to identify and manage risks in order to survive in the connected future.

Anil Bhat, Associate Vice President – Platform Development, MetricStream
Anil Bhat, Associate Vice President – Platform Development, MetricStream

IoT refers to the ability of objects to connect and share data over the Internet. Devices like cameras, home automation systems and even personal wearable devices have become ubiquitous these days, and the benefits to the consumer include efficiency and convenience, while for the organizations that provide services around these devices, it provides a wealth of data that allows them to make better informed decisions, refine their services with a better market and consumer understanding, and also improve internal efficiencies in their supply chains and business processes. With each passing day, the number of devices that get on board IoT is steadily on the rise.

IoT can be a convoluted space

On the flip side, IoT can be a complex environment. While there are some legislations related to data privacy, there are some grey areas around what data is collected from the consumer and how this data is used. Reliance on connected devices in the business context brings a lot of risks, especially with the huge amounts of personal data and proprietary information that is being collected. There are also large sets of regulations to consider depending on the country where this data is collected or stored. An enterprise looking to gather additional data using connected devices has to keep a close eye on the regulatory standards. Understanding the governance structures that need to be put in place, risks that need to be managed and the compliance requirements is a key step towards an effective IoT implementation.

Three major risks

Firstly, there is the challenge of Personal Privacy. This issue comes to play when IoT devices either knowingly or unknowingly collect and transmit personally identifiable information belonging to consumers (like social security number, location tracking information etc.). It is critical that companies develop a clear information governance strategy that accounts for all of the information collected through the IoT, and identify the information that needs to be deleted eventually. These strategies should also include steps to ensure the compliance with the privacy expectations of the data protection regulations.

Next, there is the risk of vulnerabilities that would cause a malicious user to hack into the devices and coordinate a physical attack or impersonate a user or introduce malware into the system. This is probably one of the biggest risks associated with IoT, and the level of risk increases with the level of connectivity of the devices. The infrastructure that is used to collect, store and analyze this data must be secured, with a high level of emphasis on “end point security”. Early monitoring and detection of “discrepancies” in the data patterns is important to identify suspicious behavior and put corrective action early before large scale damage is done.

Lastly, there is the challenge around managing the lifecycle of data collected from the IoT device, from creation to acquisition to analysis to disposal. Insufficient control over this data, or unclear scope of data retention increases the risk of managing and handling this data. Businesses need to formulate a clear policy which identifies what data needs to be retained and for how long, and data that needs to be deleted for compliance and regulatory reasons. Periodic data audits to ensure that these policies are being adhered to and enforced is critical to the success of managing this risk.

Better strategies for a safe connected future

Lack of strategies in managing the above risks around IoT could result in consequences around regulatory and legal damages and fines, and ultimately the loss of reputation with the businesses and consumers. IoT is still an evolving area where new standards, protocols and legislations are continuously being formed. It is important for businesses to be aware of this changing landscape and identify and manage these risks efficiently in order to thrive in a more connected future.

About the author

Anil Bhat is the Associate Vice President – Platform Development at MetricStream. The contents or opinions in this feature are independent and may not necessarily represent the views of EFY. They are offered in an effort to encourage continuing conversations on IoT and technologies around it. We welcome your comments and engagement.