59% of executives with cybersecurity decision-making responsibility at large and mid-sized companies say that their organizations have lost business due to product security concerns for connected devices and embedded systems, according to a Ponemon Institute survey. The results highlight a growing need to strengthen supply chain security by securing connected devices, including those connected to the Internet of Things (IoT).
45% of respondents’ customers want detailed information about the components of their devices, but only 11% of organizations have high confidence in their ability to respond to those requests.
The survey found that visibility is low into potentially impacted systems: only 27% of respondents say their organizations conduct software composition analysis (SCA) for all connected products’ software and only 30% say their organization can easily generate a software bill of materials (SBOM) for each product.
“Hackers are finding new ways to exploit IoT/connected device vulnerabilities, and this data shows the troubling realization that many organizations are not prepared,” said Matt Wyckhouse, CEO of Finite State.
“It can be easy to overlook the risk, which many companies do until they face a breach or cyberattack. But, the data here shows that security concerns affect organizations’ bottom lines, and a more serious approach to protecting devices is imperative.”
Obstacles to developing secure products
Organizations are finding obstacles to developing secure products. Respondents point to a lack of resources (62%), lack of in-house expertise (60%), and lack of industry standards (46%) as main reasons they’re having trouble, and only 21% of respondents report that their organization has a security supply chain policy.
Other key findings include:
- Only half of respondents report that their organizations assess the security of its products before shipping to customers.
- There’s little consensus about who’s responsible for security, with 40% of respondents saying third-party vendors are most responsible, 31% saying it’s the manufacturers, 15% pointing to end users, and 12% choosing the government.
- 74% of organizations either have or plan to hire a Chief Product Security Officer (CPSO) within the next two years.
- Only 10% of respondents report having full confidence their organizations know all vendors in the supply chain for each of its devices.