An MIT SMR initiative exploring how technology is reshaping the practice of management.

See All Articles in This Section

Smart devices, once relegated to science fiction and our imaginations, are now ubiquitous. Today, there’s a market for everything from a Wi-Fi connected refrigerator to a voice-operated speaker that doubles as a personal assistant. The internet of things (IoT) — the software-operated network of physical devices, appliances, vehicles — grows day by day as these devices become part of our daily lives. A March 2018 survey found that 22% of Americans used IoT appliances in their homes, and this trend is widespread across the globe. Amazon recently announced a plan to expand Amazon Echo services to Italy and Spain.

For consumers, the concept of easily operated, highly adaptable products is great. Smart devices are convenient, useful, and fun. However, many people remain skeptical or anxious about this level of connectivity. News of products leaking private information or being remotely hacked has led customers to fear for their personal safety and reconsider hooking up physical appliances to vulnerable networks.

Considering the relative infancy of many IoT markets and the growing demand for cheap and accessible IoT products, this is a critical stage for IoT businesses. Manufacturers will have to make decisions about how to best deal with cybersecurity. For some IoT developers, that may mean choosing between product usability and product security.

Prioritizing Product Security

Businesses frequently fail to consider that the incentive for product security can have more to do with marketability than integrity. Just look at the saga of the My Friend Cayla doll. Developed by the U.S.-based manufacturer Genesis, this children’s toy used speech-recognition technology to engage in personalized conversations with kids. The doll experienced high demand in 2015 and 2016 — until the public discovered that My Friend Cayla offered a prime target for hackers.

Email Updates on Managing Tech

Get periodic email updates on how to incorporate new tech into your company’s strategy and operations.

Please enter a valid email address

Thank you for signing up

Privacy Policy

Germany’s Federal Network Agency found that an unsecured Bluetooth device in the doll, which collected and transmitted all audio to a U.S.-based voice-recognition company, exposed the doll’s data. Independent and possibly malicious hackers could not only access private voice data, but also potentially speak to children through the doll.

The My Friend Cayla doll was officially banned in Germany in early 2017, and officials advised parents to trash the doll and destroy its internal microphone. In the U.S., consumer watchdog groups and legislators demanded that the dolls be pulled from shelves for violating laws protecting child privacy. Sales promptly fizzled. Today, the My Friend Cayla doll is no longer carried by major U.S. retailers. Similar events have occurred in various markets. As a whole, the IoT includes a wide range of devices with unique vulnerabilities. Inconsistent security protocols and physical safety risks of IoT technologies are their primary weaknesses.

Potential adopters of IoT technologies range from individuals to massive organizations. If a new product experiences a publicized cyber incident, it may never get off the ground, even if the security issue gets resolved. This is a prime example of why IoT developers cannot simply focus on marketing and innovation. Security needs to be addressed proactively, even if it requires a considerable investment of resources in earlier stages.

In fact, investing resources in cybersecurity is probably the most business-savvy thing that IoT product manufacturers can do. At Cybersecurity at MIT Sloan (CAMS), we studied how security risks of IoT products can shape the future marketplace. In a recent study, we found that while there are a number of variables at play, investing early in cybersecurity capabilities — even for a company or startup with limited resources — is ultimately the method most likely to bring market success in the long run.

Appealing to Users

One of the biggest selling points of IoT products is their convenience and reliability. A good product must be simple enough to attract customers, yet secure enough to reduce the likelihood of cyber incidents.

Consider our iceberg model (See “Iceberg Model for IoT Products”), which maps the growth of IoT products. It includes several feedback loops that explain how changes in a product can affect its sales. The first feedback loop (R) is obvious to most IoT product designers: The more beneficial or attractive a product, the more its use and sales increase. With the increase of sales and market size of IoT, designers use research to improve their product, and so more people will want to purchase the product.

However, that mechanism is only the tip of the iceberg. Data security concerns create a second, less obvious feedback loop (B) affecting the marketability of IoT products. This important but hidden part of the model works like this: As a product’s adoption increases, it becomes more attractive to hackers, and some cyberattacks may succeed. If customers learn about attacks on the product, they’ll doubt its security and reliability. Eventually, potential adopters may decide that the cyber risk is too great to justify any number of benefits or novel features.

Our research, which included studying a large electronics company that produces an IoT lighting product, provides us with a narrative for how cybersecurity-related variables may impact the introduction and adoption of new products in the market. We interviewed employees from a number of departments within the electronics organization — including security, production, marketing, and sales — and consulted potential users of the product and outside industry experts.

Interviewees could easily describe many potential benefits of their product — from connected light bulbs that could reduce inefficiency in unoccupied conference rooms to IT systems that could use motion sensor-equipped lighting to direct employees to open desks when they enter the building. The chief benefit of using IoT, in this case, is not the lighting technology itself, but the data collection around productivity and efficiency it can provide.

However, these benefits often aren’t easy to perceive for consumers, and several factors may make customers doubt the security of a connected lighting system. The many bulbs and systems involved offer many potential targets for hacking. This lighting system doesn’t feel safe to some building managers. In this case, the risk seems to outweigh the reward for most consumers who might consider installing a connected lighting system. Very few buildings have adopted connected lighting. This leaves much room for the IoT developer to not only enhance their cybersecurity capabilities but also ensure that the risk and benefits are clearly communicated to potential consumers.

How IoT Businesses Can Reduce the Impact of Cyber Risks

Investing in cybersecurity capabilities for IoT products is essential, but it can be expensive and this requires additional resources. In the long run, however, strong cybersecurity measures can improve consumers’ perception of how secure and reliable a product is, which helps chances of adoption.

IoT developers simply can’t wait until their product gets a noticeable market share to invest in cybersecurity policies. Management must take responsibility for security along the entire technology supply chain. To increase the adoption of the IoT, organizations that develop this technology must measure and monitor the risk-reward ratio of products.

A particular dilemma for IoT developers is the lack of widely accepted standards for this market. On the one hand, the lack of established protocols around IoT security can be a strategic advantage for entrants into the market, and we’ve seen this with early innovators and startups already, such as the case of My Friend Cayla. On the other hand, without standards, vendors have difficulty articulating to potential customers — especially in large organizations — how to handle cyber risks.

The benefits of smart devices are wide-ranging: The IoT-powered communication and analytics have the potential to do more than just add convenience to our daily lives — they could actually radically improve the way we work and live.

However, if consumers perceive that a product puts important personal or company data at risk, that fear will continue to outweigh the benefits. By carefully considering and fighting against cyber risks, IoT innovators can ensure the growth of their market and the growth of IoT benefits in society as a whole. This requires IoT developers to make early investments in cybersecurity capabilities, beyond a sole focus on product design and sale.

About the Author

Mohammad Jalali is a research affiliate at MIT Sloan School of Management and an assistant professor at Harvard Medical School. He tweets @msjalali.