|

Who’s Responsible for IoT Security? (Part 3 of 3)

ByMary Kolberg, Manager, Communications
Touching smart device in home to turn up music volume

In Part 1 of this blog series, we talked about why updates matter and the security gap between what consumers expect and what IoT devices actually provide. In Part 2, we looked at how programs like the U.S. Cyber Trust Mark and conformity assessment help verify that cybersecurity claims are real. That leaves one more question: who’s actually responsible for keeping your connected devices secure?

The Manufacturer’s Role in Cybersecurity

Manufacturers who take cybersecurity seriously invest in secure development practices from the design phase, not as an afterthought. They build devices with the ability to receive updates. They establish formal vulnerability disclosure programs so that when a flaw is discovered, there’s a clear process for reporting it and a commitment to addressing it. They also provide documentation that helps customers understand how to configure and maintain their devices securely.

NIST has emphasized that non-technical supporting activities like documentation, patching commitments, and post-sale communication are foundational manufacturer responsibilities, not optional extras. A device that can receive an update is only as good as the manufacturer’s willingness to send one.

The Role of Independent Evaluation in IoT Security

Manufacturers can and should make cybersecurity commitments, but those commitments carry more weight when they’ve been independently verified. This is the role that conformity assessment bodies play, to evaluate whether a manufacturer’s cybersecurity practices actually meet recognized standards.

Accreditation bodies like ANAB ensure that those evaluators are qualified to make that judgment, creating a layered system of trust and accountability. The manufacturer builds the product, an independent body evaluates whether the product and the practices behind it meet established standards, and an accreditation body confirms that the evaluator is competent and impartial. Each layer reinforces the others.

The Consumers Role in IoT Security

Consumers play a role in this too. Applying updates when they’re available, retiring devices that are no longer supported, placing lesser-known devices on a separate network, and paying attention to whether a manufacturer has a track record of post-sale support are all practical steps that reduce risk.

Choosing products that carry the U.S. Cyber Trust Mark, checking the NIST National Vulnerability Database (NVD) for known issues, and looking for products evaluated by accredited certification bodies are ways to make more informed purchasing decisions. None of these steps require deep technical knowledge, but they do require a bit of awareness.

Security Is a System, Not a Feature

IoT cybersecurity falls on everyone involved. Manufacturers need to design secure products and maintain them over time. Independent evaluators need to assess whether those practices meet recognized standards. Accreditation bodies need to ensure the evaluators are up to the task. Consumers need to stay engaged with the devices they bring into their homes and workplaces.

So yes, update your IoT device, but know that the update itself is only as good as the cybersecurity practices behind it. Independent conformity assessment and accreditation help ensure those practices are real, consistent, and trustworthy. The next time your device asks to update, there’s a system of accountability working behind the scenes to keep your connected world secure.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.