Third-party IoT risk management not a priority

With the proliferation of IoT devices used in organizations to support business, technology and operations innovation, respondents to an Ponemon Institute study were asked to evaluate their perception of IoT risks, the state of current third party risk management programs, and governance practices being employed to defend against IoT-related cyber attacks.

Has your organization experienced a data breach or cyber attack caused by unsecured IoT devices or applications in the past 12 months?

This year’s report uncovered an alarming number of respondents who believe their organization will suffer from a catastrophic IoT related attack in the next two years, and shows that many are not properly assessing for third party IoT risks and do not have an accurate inventory of IoT devices. Similar to last year, the report underscores a major disconnect when it comes to third party IoT risk management practices and reveals that many companies have fallen behind on the basics such as assigning accountability and managing inventory over IoT.

The report addresses uncertainties around who is responsible for managing and mitigating third party risks and reveals an over-reliance on third party contracts and policies for IoT risk management. It concludes that current focus is on monitoring internal workplace IoT risks rather than on IoT risks posed by third parties.

The Ponemon Institute surveyed 605 individuals who participate in corporate governance and/or risk oversight activities to determine the following:

The awareness of IoT risks is increasing as IoT adoption continues to grow

• The average number of IoT devices in the workplace is expected to increase to an average of 24,762 devices, up from 15,874 last year.
• 97 percent of respondents say the likelihood of a security incident related to unsecured IoT devices could be catastrophic for their organization and 60 percent are concerned the IoT ecosystem is vulnerable to a ransomware attack.
• 81 percent say that a data breach caused by an unsecured IoT device is likely to occur in the next 24 months.
• Only 28 percent say they currently include IoT-related risk as part of the third party due diligence.

IoT risk management practices are uneven

• Only 45 percent of respondents say they believe it’s possible to keep an inventory of IoT devices. Of that 45 percent, only 19 percent actually have an inventory of at least 50 percent of their IoT devices. 88 percent cite the lack of centralized control as a primary reason for the difficulty of completing and maintaining a full inventory.
• Only 15 percent of survey respondents have an inventory of most of their IoT applications. 85 percent cite the lack of centralized control as a reason why it’s so difficult to maintain a full inventory of IoT applications.
• Only 46 percent say they have a policy in place to disable a risky IoT device within their own organization.
• 60 percent of respondents say their company has a third party risk management program.
• More than half (53 percent) of respondents rely on contractual agreements to mitigate third party IoT risk, but only 26 percent of respondents say their onboarding due diligence process actively evaluates the IoT risk of third parties.

The gap between internal and third party IoT monitoring is substantial

• 71 percent say their organizations consider third party risk a serious threat to high value assets, and 60 percent say they have a third party risk management program.
• 26 percent of respondents admit they are unsure if their organization was affected by a cyber attack involving an IoT device, while 35 percent said they don’t know if it would be possible to detect a third party data breach.
• Almost half of all organizations say they are actively monitoring for IoT device risks within their workplace, but only 29 percent are actively monitoring for third party IoT device risks.
• However, only 9 percent of respondents say they are fully aware of all the physical objects connected to the internet.

Perceptions about business innovation and IoT risks

“The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks,” said Charlie Miller, Senior Vice President with the Shared Assessments Program. “With the increasing number of major data breaches, ransomware, and DDoS attacks in the news daily, and senior executives losing their jobs as a result, it’s critical that organizations assign accountability and ownership of IoT-related oversight across their organization, ensure that IoT security is taken seriously and educate management at all levels.”

When it comes to reviewing third party risk management policies and programs, accountability isn’t clear – 38 percent of respondents admit that nobody is responsible for reviewing third party risk management policies and programs and only 41 percent of respondents have a regular schedule for reviewing them. Participants in the study indicated that C-level management does not fully understand the risk related to IoT devices used by third party vendors and only 17 percent of respondents say their organizations’ board of directors have a high engagement and understanding of cyber risks relating to vendors or third parties.

“The good news is that some companies are becoming more aware of third party cyber risks and are actually implementing third party risk management programs. The bad news is that many organizations continue to struggle with the security risks posed by IoT, and are therefore not prepared to deal with the catastrophic consequences of a breach,” said Dr. Larry Ponemon, Chairman of the Ponemon Institute. “To more effectively address IoT risks and improve third party risk management programs, companies should take proactive steps to identify and replace inadequate IoT devices, assign accountability for monitoring the use and deployment of IoT devices, and collaborate with appropriate parties to find successful techniques to manage and mitigate third party IoT device and application risks.”