Canadian Underwriter
News

Lack of oversight regarding security of third-party IoT implementation: survey


May 31, 2017   by Canadian Underwriter


Print this page Share

A gap in understanding how best to mitigate and communicate risks around the Internet of Things (IoT) persists despite organizations reporting high concern about related security, notes a new report from Ponemon Institute and Shared Assessments Program.

Released Wednesday, The Internet of Things (IoT): A New Era of Third Party Risk was conducted by independent research firm Ponemon Institute and sponsored by Shared Assessments Program. It details respondent feedback on their perception of IoT risks, the state of current third-party risk management programs, and current practices to defend against cyber attacks.

Findings are based on a Ponemon Institute survey, reflecting responses from 553 individuals in various industries who have a role in the risk management processes.

The annual survey from and Shared Assessments Program – which provides third-party risk management solutions – found that 78% of respondents believe a data breach and 76% say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years, notes a program statement.

An even higher percentage of respondents – 94% – of respondents “say it is likely that either incident would be catastrophic,” the report states.

Couple those concerns with just 44% of respondents saying their organizations have the ability to protect their network or enterprise systems from risky IoT devices, and only 30% reporting that managing third-party IoT risks is a priority in their organizations.

And if that is not enough, findings shed light on a communication gap. Almost seven in 10 of those surveyed report that they do not keep their CEO and board informed about the effectiveness of the third-party risk management program, and 77% are not considering IoT-related risks in their third-party due diligence.

This may be a factor contributing to just 25% of respondents saying their board members require assurances that IoT risks are being assessed, managed and monitored appropriately.

Respondents point to major barriers to minimizing IoT risks, the report states, including a lack of priority, insufficient resources and Boards of Directors that are not fulfilling their oversight responsibilities and making management accountable.

“Because it is not a priority and leadership is not engaged, it is understandable that necessary resources are not being allocated,” the report adds.

“This leaves opportunity and need for board education and oversight best practices,” Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program, says in the program statement.

Related: Global IoT insurance market to reach nearly US$43 billion by 2022: study

The findings seem at odds with study participants reporting that they are aware IoT introduces new security risks and vulnerabilities into their organizations.

The understanding gap with regard to IoT risks is especially of concern as it relates to third parties. In all, 67% of respondents say they are not evaluating IoT security and privacy practices before engaging in a business relationship.

“What’s shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

Findings indicate efforts to mitigate third-party risks in the IoT ecosystem are lagging. Polled companies are relying on legacy technologies and governance practices to address potential threat vectors, with 94% saying they still use a traditional network firewall to mitigate threats.

“Such risks include the ability of criminals to harness IoT devices, botnets to attack infrastructure and launch points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities,” the statement cautions.

“More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyber attacks,” Ponemon maintains.

“Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever,” says Charlie Miller, senior vice president with the Shared Assessments Program.

Related: IoT botnets present unmanageable cyber security risk: Juniper Research

Avoiding “becoming the next big headline” demands that security tactics evolve along with the threats, Miller emphasizes.

“New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party,” he adds.

The report cites respondents as reporting the number of IoT devices in their organizations is expected to double in the next two years, from an average of 9,259 to an average 18,631.

“IoT growth is being driven by the potential to increase efficiencies and improve business outcomes by collecting better data about things in the workplace,” it notes. “However, to ensure the security risks do not outweigh the benefits, new strategies that holistically consider risks in the organization’s entire IoT ecosystem are needed.”

The report offers a numbers of recommendations to improve third-party risk management programs to more effectively address IoT risks, including the following:

  • ensure inclusion of third-party and IoT risks occurs at all governance levels including the board;
  • continue to leverage and enhance contracts and policies and expand scope to include IoT specific requirements;
  • develop specific sourcing and procurement requirements to ensure only IoT devices that are designed with security functions included and enabled are considered for product selection or acquisition;
  • include IoT in communication, awareness and training at all levels: board, executive, corporate, business unit and third-party; and
  • embrace new technologies and innovations, but not at the expense of security, and ensure security controls are included as fundamental and core requirements.