Well over three-quarters (81 per cent) of professionals who work in corporate governance or risk oversight say that a serious data breach caused by an unsecured IoT device is likely to occur in their business in the next two years.
The findings have been published in a joint report published by independent research company Ponemon Institute and the Shared Assessments Program, an industry body that focuses on third-party risk assurance.
The Internet of Things (IoT): A New Era of Third-Party Risk reveals that nearly all respondents – 97 percent – believe that an attack related to unsecured IoT devices could be “catastrophic” for their organisation.
A further 60 percent said they were concerned that the IoT ecosystem is particularly vulnerable to ransomware attacks.
What are they doing about it?
In terms of preventative measures, the survey found that only 28 percent currently include IoT-related risk as part of third-party due diligence, and 49 percent of respondents said they keep no inventory of IoT devices.
More than half (56 percent) don’t keep an inventory of IoT applications either, and a large majority (85 percent) say this is because of a lack of centralised control over these applications.
Other findings include:
• Only 46 per cent of respondents said their company has a policy in place to disable a risky or compromised IoT device.
• Just 29 per cent actively monitor the risks associated with IoT devices from third-parties. This is despite almost half of all organisations saying that they actively monitor IoT device risks within the workplace.
The report finds a major disconnect when it comes to third-party risk management practices, and reveals that many companies have fallen behind on assigning accountability too, with 38 percent of respondents admitting that nobody is responsible for reviewing third-party risk management policies and programmes.
There also seems to be a high-level of uncertainty about IoT device numbers in the workplace. Only nine percent of respondents said that they are fully aware of all of the devices connected to the internet within their businesses.
In other words, over 90 percent of organisations have no idea how many internet-connected devices exist in their offices.
More than one-quarter (26 percent) admit they are unsure if their organisation has been affected by a cyberattack involving an IoT device. More than one-third (35 percent) said they don’t know if it is even possible to detect a third-party data breach.
“While there’s an increasing awareness about third-party IoT risks, much more work needs to be done to ensure controls minimise the risks these devices pose,” said Charlie Miller, SVP of the Shared Assessments Program.
“With the increasing number of major data breaches, ransomware, and distributed denial of service attacks in the news daily, and senior executives losing their jobs as a result, it’s critical that organisations assign accountability and ownership of IoT-related oversight across their organisation, ensure that IoT security is taken seriously, and educate management at all levels,” he said.
Dr Larry Ponemon, chairman and founder of the Ponemon Institute, said that the bad news is that many organisations are continuing to struggle with the security risks posed by IoT. “They are therefore not prepared to deal with the catastrophic consequences of a breach,” he said.
“To more effectively address IoT risks and improve third-party risk management programmes, companies should take proactive steps to identify and replace inadequate IoT devices, assign accountability for monitoring the use and deployment of IoT devices, and collaborate with appropriate parties to find successful techniques to manage and mitigate third-party IoT device and application risks.”
Internet of Business says
Aside from the plethora of stories about connected cars and 5G testbeds, the dominant theme so far this year has been a woeful, perplexing, and sometimes alarming lack of preparedness for the security dimension of the IoT.
Some organisations have spent large sums of money securing traditional enterprise systems against hostile attack, malware and virus intrusion, or poor internal security processes.
However, while they have been doing so, the IoT has been expanding exponentially, bringing a large variety of different device types into the extended organisation.
Multiple reports have suggested that many such devices are being rushed to market to capitalise on the growing wave of IoT interest, while others may be devices that have never been connected to the internet before, and therefore may lack up-to-date security protocols.
Factor in 5G too – as our in-depth report reveals – and any organisations that believe they have little risk exposure from the IoT may find that snowballing into a huge problem over time. Tackling those issues now is essential.
Just some of our 2018 security reports so far:-
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.