Over the past several years, deployment of Internet of Things (IoT) devices has increased exponentially. Researchers estimate that over 20 billion IoT devices are in use globally today, and this number is expected to increase to over 100 billion by the middle of the next decade.
Retailers have been implementing IoT in their operations in a variety of ways. In physical stores, IoT devices can be used to track in-store inventory, streamline payments, update pricing, control store lighting and temperature, and monitor security. IoT devices also can be used in retailers’ distribution systems to enhance and monitor logistics and inventory management.
"Risk management practices will allow companies to remain nimble in adopting new IoT technologies that could transform their operations and impact their business performance positively"
As retailers consider broader deployment and use of IoT devices in their enterprises, the primary focus will naturally be the potential business benefit of such technologies. Will they improve the customer experience? Will they facilitate new sales opportunities (for example, more efficient in-store pickup for online transactions)? Will they allow companies to more efficiently manage their inventory and reduce costs? As new IoT technology matures and its use cases become clearer, adoption by retailers is likely to increase consistent with the broader trend lines for IoT device growth.
But the adoption of IoT technology within retailers’ operations is not without risks. By bringing thousands of new internet endpoints into their enterprises, companies are creating thousands of new cyber vulnerability points. And the rapid introduction of new IoT devices creates new layers of enterprise complexity, making it more challenging for retailers to fully comprehend their IT environment and understand the potential security and privacy-related risks to it.
Given these risks, companies should adopt six critical practices to effectively manage IoT-related risks:
1. Ensure that the Chief Information Officer has clear authority over decisions to adopt and acquire IoT-related devices and technology within the enterprise: Without this clear authority, there is a risk that operational divisions of a company will experiment with IoT-related capability and integrate it into retail operations without a broader consideration of enterprise risks, including potential risks to existing systems.
2. Provide the Chief Information Security Officer with visibility into all IoT-related acquisitions: Given the CISO’s responsibility for enterprise-wide cyber risks, it is critical that they have full visibility into the deployment of IoT-related technology and ensure that such devices are being adequately monitored. CISOs should also be given the formal authority to recommend that certain IoT devices not be deployed where they present known vulnerabilities. For example, several brands of CCTV cameras are known to be vulnerable to being hacked by botnets—CISOs should be empowered to prevent the acquisition of such devices.
3. Understand the risks of third-party deployment of IoT devices: Many IT service providers are shifting to “IoT as a service” business offerings, which are likely to become attractive to retailers in areas such as inventory management and security monitoring. Such offerings could increase IoT security but also create risks where new endpoints are integrated with companies’ IT operations. CIOs and CISOs need to pay as much attention to these third-party IoT risks as to their own deployments.
4. Consult publicly available guidance on IoT risks: Numerous public- and private-sector groups with longstanding experience in working with industry on standards and best practices—for example, the National Institute of Standards and Technology and Underwriters Laboratories—have developed guidance on IoT-related risks. Retailers should consult such public sources of information on IoT risks when making strategic investment decisions.
5. Update companies’ cybersecurity operations and plans to consider IoT risks: Retailers should ensure that their security operations center activities are equipped to monitor deployed IoT devices and should also modify existing plans for cyber incident response to consider the possibility of IoT-related cyber incidents.
6. Give extra scrutiny to IoT applications that use personally identifiable information: Some retail use cases for IoT involve the collection and transmission of customers’ personally identifiable information—for example, in-store “beacons” that determine when a known customer has entered a store based on information from their mobile device. Such capabilities are inherently more risky than other IoT use cases; given the additional privacy-related risks, decisions related to their adoption should involve retailers’ legal and/or compliance functions.
If retailers take these steps, they will be better prepared to ensure that risks are adequately considered and mitigated as new IoT capabilities are brought into the enterprise. By taking steps to understand and mitigate risks throughout the IoT life cycle—instead of considering them after the fact—retailers will be better able to avoid ill-considered decisions, prevent unforeseen risks to the enterprise and still act with agility. Ultimately, these risk management practices will be successful if they allow companies to remain nimble in adopting new IoT technologies that could have a transformational impact on their operations and a positive impact on their business performance.