May 31, 2017 by Canadian Underwriter
A gap in understanding how best to mitigate and communicate risks around the Internet of Things (IoT) persists despite organizations reporting high concern about related security, notes a new report from Ponemon Institute and Shared Assessments Program.
Released Wednesday, The Internet of Things (IoT): A New Era of Third Party Risk was conducted by independent research firm Ponemon Institute and sponsored by Shared Assessments Program. It details respondent feedback on their perception of IoT risks, the state of current third-party risk management programs, and current practices to defend against cyber attacks.
Findings are based on a Ponemon Institute survey, reflecting responses from 553 individuals in various industries who have a role in the risk management processes.
The annual survey from and Shared Assessments Program – which provides third-party risk management solutions – found that 78% of respondents believe a data breach and 76% say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years, notes a program statement.
Couple those concerns with just 44% of respondents saying their organizations have the ability to protect their network or enterprise systems from risky IoT devices, and only 30% reporting that managing third-party IoT risks is a priority in their organizations.
And if that is not enough, findings shed light on a communication gap. Almost seven in 10 of those surveyed report that they do not keep their CEO and board informed about the effectiveness of the third-party risk management program, and 77% are not considering IoT-related risks in their third-party due diligence.
This may be a factor contributing to just 25% of respondents saying their board members require assurances that IoT risks are being assessed, managed and monitored appropriately.
Respondents point to major barriers to minimizing IoT risks, the report states, including a lack of priority, insufficient resources and Boards of Directors that are not fulfilling their oversight responsibilities and making management accountable.
“Because it is not a priority and leadership is not engaged, it is understandable that necessary resources are not being allocated,” the report adds.
“This leaves opportunity and need for board education and oversight best practices,” Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program, says in the program statement.
The findings seem at odds with study participants reporting that they are aware IoT introduces new security risks and vulnerabilities into their organizations.
The understanding gap with regard to IoT risks is especially of concern as it relates to third parties. In all, 67% of respondents say they are not evaluating IoT security and privacy practices before engaging in a business relationship.
“What’s shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
Findings indicate efforts to mitigate third-party risks in the IoT ecosystem are lagging. Polled companies are relying on legacy technologies and governance practices to address potential threat vectors, with 94% saying they still use a traditional network firewall to mitigate threats.
“Such risks include the ability of criminals to harness IoT devices, botnets to attack infrastructure and launch points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities,” the statement cautions.
“More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyber attacks,” Ponemon maintains.
“Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever,” says Charlie Miller, senior vice president with the Shared Assessments Program.
Avoiding “becoming the next big headline” demands that security tactics evolve along with the threats, Miller emphasizes.
“New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party,” he adds.
The report cites respondents as reporting the number of IoT devices in their organizations is expected to double in the next two years, from an average of 9,259 to an average 18,631.
“IoT growth is being driven by the potential to increase efficiencies and improve business outcomes by collecting better data about things in the workplace,” it notes. “However, to ensure the security risks do not outweigh the benefits, new strategies that holistically consider risks in the organization’s entire IoT ecosystem are needed.”