Security basics should be part of any MVP. Period
After almost 5 years (at least) of constant media coverage around IoT privacy invasions and security breaches, it is staggering to see some sectors of the tech industry apparently still struggling with those matters.
For many analysts, it all boils down to costs; for others, to the limitations inherent to the size of some sensors and the amount of functionality which can be coded on them.
Both aspects are obviously linked (more powerful chips cost more), but the situation is probably more complex and rooted in deeper problems.
First of all, the security of any IoT product should be seen as a functionality, not an add-on, and treated as an inherent component of any use case. Basic security good practices will vary depending on the usage of the product but should be part of any MVP.
So why is it not the case, with so many products?
Let’s eliminate the issue of costs first of all: Yes, security costs money, but when launching a product, every functionality does. The costs issue hides in reality a fundamental prioritization problem, and the perception by product developers that customers will value other functionalities more. Research has started to emerge over the past few years showing that, in fact, this is less and less the case.
Rush-to-market is also often cited as a cause, but again that points more towards a prioritization failure. An insecure product should not be seen as a viable, market-ready product.
This should not be seen as a side topic in cyber security conversations: The Internet of Things is becoming a cornerstone of the digital transformation in many domains. While some security breaches can be laughable, others can have devastating consequences, for example in the healthcare industry.
It is really the culture of some sectors of the tech world which is under the spotlights here, and with it, the short-termism of some of its investors.
Of course, failure to take this seriously and act can only lead to politicians and regulators involving themselves further to protect consumers and citizens. We highlighted it in a 2015 white paper, and beyond the measures already triggered by GDPR where personal data is involved, this is now starting to happen across a broader spectrum of the tech landscape.
Frankly, given the virulence and widespread nature of cyber threats, the need to take security seriously and embed it natively into IoT products should be seen as a simple matter of common sense for product developers and investors. Beyond good ethics, it has quite simply become a matter of good business.