Why Device Manufacturers Bear the Majority of the IoT Security Burden

Whose obligation is IoT security? It is actually a shared responsibility among device makers, users, organizations, and some government agencies. Device manufacturers must ascertain that their products are not defenseless against cyberattacks. Users and iot platform development providers also need to have sensible cybersecurity policies and controls. On the other hand, government offices perform regulatory functions to help control threats aimed at IoT ecosystems.

However, it appears device makers have the biggest responsibility in securing their devices. This is not to say that users should rely entirely on the built-in security features of the IoT products they buy. Instead, users should learn to be cybersecurity-conscious in choosing the IoT devices they get.

Manufacturers are in the best position when it comes to securing IoT devices since they have the biggest involvement in the design, development, quality control, and software maintenance of these devices. They make the call on what security features to add and the security validation procedures to take. They are also responsible for the security compliance of the products they introduce to the market. Add to these the three other crucial reasons discussed below.

Buyers want secure products

Nobody wants to buy products that have security issues. Not many may be well-versed in the concept of securing IoT devices, but an overwhelming majority of customers instinctively avoid products that are regarded as unsafe or ambiguous in their security. It is for this reason that IoT device makers are expected to take the initiative to secure their products. They understand the impact of being associated with security flaws, so they are taking the first steps in making sure their devices do not easily fall to cyberattacks.

Ensuring the security of connected electronic devices is not easy. It is a complex process that requires a wealth of cybersecurity experience and continuous monitoring. Nevertheless, there are IoT security solutions that enable autonomous security and observability for connected devices. Through these solutions, manufacturers can embed real-time self-protection and monitoring in their devices throughout the product life cycle. There are also solutions that make it possible to deploy active threat mitigation functions on various devices.

Some may argue that customers are not that acquainted with IoT security concerns for them to factor it into their buying decisions. However, it is not uncommon for competitors to expose the cybersecurity flaws of competing device makers. These security problems are likely to be picked by traditional and online media outfits, which can result in a PR nightmare for the affected IoT manufacturers.

Security problem rumors and reports cannot be underestimated or downplayed. They can cause stock prices to tumble. They can also leave long-term reputational damage. It is apparent that IoT device makers acknowledge these realities, as most of the established names in the market invest in IoT security mechanisms and solutions. Those that refuse to integrate security in their product development tend to be run-of-the-mill or unscrupulous ones involved in bulk-producing cheap devices with dubious quality and virtually absent security.

Laws compel manufacturers to secure their products

IoT security is not just a concern acknowledged by device makers. It is a requirement in a number of jurisdictions. In the United States, for example,  a law called the “IoT Cybersecurity Improvement Act of 2020” sets obligations for the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to undertake steps that raise the cybersecurity of IoT devices.

This IoT security law forces IoT device makers to ascertain that their products are secure for them to be qualified for deployment or use in any office, department, or agency under the federal government. Manufacturers that refuse to secure their products instantly lose any chance to land a contract with that federal government. Also, if they choose not to take device security seriously, they easily lose to competitors that demonstrate better IoT cybersecurity implementation.

On the other hand, there is an upcoming US government program to implement an Iot Security labeling system in 2023. This affects all IoT manufacturers, not only those that intend to secure deals with the federal government. The program seeks to put cybersecurity ratings plus additional useful information on every IoT product sold on the market. It is similar to the Energy Star labels used on appliances.

Designed to help consumers make better buying decisions, the planned IoT security labels help potential buyers in evaluating if the options they are considering are secure or not. This proposed program includes inputs from the Carnegie Mellon CyLab Security and Privacy Institute, which presented to the White House a study that shows that consumers are willing to pay more for IoT products that present information about their security and privacy.

There may be no plans to completely outlaw IoT products that are deemed not secure, but it is clear that the government is encouraging manufacturers to make security an essential part of device production. As such, ignoring the need for IoT security is not really an option for IoT makers.

Near-impossible to secure devices that are inherently insecure

Another crucial reason why IoT device manufacturers bear the biggest burden in IoT security is the fact that it is virtually impossible to attain security when the devices to be secured are not built to be secure in the first place. If devices lack basic protections from cyberattacks and the ability to integrate with other cybersecurity solutions, they will only become unaddressable vulnerabilities in enterprise networks. Hence, the only course of action available is to eliminate them from the network.

IoT device makers are responsible for the core functions, such as authentication and encryption,  that make their products secure. If they fail to provide these functions, or they use shabbily written and flaw-fraught open-source code, it is not a stretch to say that no amount of supplemental cybersecurity solutions would suffice to make the affected devices secure.

It would not be wrong to demand IoT security from the manufacturers of IoT devices themselves. They may not be solely responsible for it, but they play an essential foundational role, which should be fulfilled first before anything else can become viable additions or enhancements.

In conclusion

IoT security cannot be entrusted to a single party. Manufacturers, users, and regulators have their respective roles to play. However, there is no doubt that manufacturers have no choice but to assume the biggest share of the obligation since they are responsible for the firmware, basic functions, and software updates of their products. 

They need to make sure their products are secure, so customers do not avoid them. They have to abide by legal requirements and government programs aimed at making IoT devices and ecosystems reliably secure. Most importantly, they have to ascertain that security fundamentals are present for the cybersecurity actions of users or organizations to mean anything.

Interesting Related Article: “Global IoT Connectivity: Challenges and The Future of IoT