Risk Management for the Internet of Things

Today’s world is defined by more than just the internet and shared data; it is defined by connected technology that can create, process, analyze, and communicate data without the need of human inputs. This is known as the Internet of Things (IoT) and is designed to allow enterprises to make value-adding decisions in real-time. However, the downside of the IoT is the increased risk to data security as more sensitive data is being created and stored on networks. Given this, a new risk management approach is needed to protect an enterprise’s critical information.

Security of Data

Securing data is not a new concept for any business. In regards to IoT deployment, security isn’t any different except for the degree of that security. Deloitte focuses on three sources of risk that are particularly important in regards to IoT deployments: enabling interoperability, retrofitting, and extending functionality.

The first source of risk is enabling interoperability. A desired feature of IoT is the creation of a pool of users which can include other organizations or stakeholders such as suppliers and customers. A problem that often arises is not having uniform standards to enable interoperability to function properly. Quite frequently, businesses will settle with IoT solutions that haven’t been scrutinized and tested properly which results in vulnerability. The best prevention for this is to recognize IoT is a long-term strategy and worth investing in. Furthermore, investing in uniform standards for IoT deployments will be more beneficial than settling for vulnerable IoT solutions. 

The second source of risk in IoT deployment is in regards to integrating IoT with existing systems in place. However, the capability of retrofitting these existing systems to the necessary security level for IoT deployment may become impaired as technology continually advances. Deloitte recommends always erring on the side of caution and replacing the existing devices. 

The third source of risk in IoT deployments is attempting to extend the functionality of existing systems. Often businesses are hesitant to adopt new technologies due to cost restraint or uncertainty of the technology. However, businesses tend to extend the functionality of their existing systems to achieve technological advances. In these situations there is a major risk of these modified systems lacking security. Just as with retrofitting, Deloitte recommends evaluating the risks of extending the functionality of an existing systems versus replacing the systems. 

Remaining Vigilant

The second aspect of Deloitte’s risk management framework is remaining vigilant to the rapid changes in technology which bring new, unforeseen risks. In regards to IoT businesses need to remain vigilant in two aspects of IoT: data and ecosystems. As the IoT technology expands, the scale, scope, and frequency of the data collected will also increase. However, this creates new risks as more doors are opened for intrusion.

As previously mentioned, a common feature of the IoT deployment is creating a pool of users, or ecosystems, to enable sharing of information. While this is a significant value-adding feature of IoT, the business remains vulnerable to the security standards of third party users. In this sense the IoT risk management framework requires that businesses be vigilant by constantly assessing the risks of third party users in the IoT ecosystem. 


Resiliency is the ability to realize, address, and correct risks in order to restore operations as quickly as possible. For IoT deployments many steps can be taken to ensure resiliency depending on the application of the system. At the center of all systems should be implementation of security-event-monitoring controls to act as a built-in fail-safe. The purpose of this is to ensure the system doesn’t create a catastrophic event by containing and isolating incidents.