For the third year, the Ponemon Institute has published a report on IoT security and risk management, and this year focused on third party risk and the lack of accountability on the part of too many board members.
IoT-related attacks continue to rise in 2018, with 26 percent of breaches caused by an unsecured IoT device or IoT application. This is nearly double the percentage compared to the prior year (2017).
The Institute’s announcement said, “the actual number may be greater as most organizations are not aware of every unsecure IoT device or application in their environment or from third party vendors.”
The report also shared that less than half of company board members approve programs intended to reduce third party risk, and only 21 percent of board members are highly engaged in security practices and understand third party and cybersecurity risks in general, which is becoming an increasingly significant issue, not just for IoT but for all “digital risk management” as enterprises and organizations are connecting more systems, sharing more data among systems, participating in API-based ecosystems, and generally instrumenting everything.
The report also shares that a stunning 87 percent of respondents say it’s likely their own organizations will experience a cyber-attack such as a DoS attack caused by unsecured IoT devices or applications in the next 24 months, and 84 percent expect their organizations to experience a data breach due to same.
While we all can appreciate the power of partner ecosystems, another revelation is this: “When asked the likelihood their organization will face a data breach or cyber-attack caused by a third party’s unsecured IoT devices or applications, 81 percent expect an attack such as a DoS, and 82 percent anticipate a data breach, up from 77 percent and 75 percent respectively in the previous study.”
“This study proves it’s no longer a matter of if but when and board members of organizations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into your network, workplace and supply chain,” said Cathy Allen, founder and CEO of The Santa Fe Group, Santa Fe, NM. “The study shows that there’s a gap between proactive and reactive risk management. The time to address this issue is now and not later.”
We asked experts to share their thoughts on this latest study.
“In this climate, ensuring data security and integrity is everybody’s job,” said Matt Goggin, CMO of Dispersive Networks. “This comes into clear focus when a company’s brand and reputation can be greatly damaged when breaches occur. While management teams and boards can’t be responsible for fully understanding the myriad of technical details CISOs and other tech leaders are tasked with, they are responsible to customers and shareholders for governance as part of risk management. By maintaining a heightened awareness of the current threat environment, and assuring the right measures are taken, the proper investments in cybersecurity will be made, and they will fulfill their responsibilities in a very positive way.”
“The average person is not as sophisticated as the average company, and the average company, as most white hat testing operations will testify, is not as aware as they should be regarding data security, ownership, and privacy,” said Don DeLoach, founder and CEO of Rocket Wagon Venture Studios. “That is changing. To truly address this, though, information will need to be made much more accessible and digestible to the average person, which means automating the assessment of a given environment (building, store, home) and conveying that information in a concise and understandable fashion. That will happen. The market will demand it.”
“If there are devices and servers or applications in an infrastructure that requires configuration changes or maintenance from time to time, privileged, or superuser access is a must for your network management, and IoT is no exception,” said Orhan Yildirim, COO, Krontech. “If a successful attack occurs through a superuser who has access to an IoT network, most probably it will affect a large portion, if not all, of the IoT services, and depending on the application, it creates risks that can include physical harm and even death. Privileged Access Management tools are a requirement for securing IoT services.”
This year’s study shows where improvements are critically needed in the following areas:
- While respondents believe a positive tone at the top is important to minimizing business and third-party risks, few companies represented in this study are making board-level governance an essential part of their risk management program.
- The IoT threat landscape is expanding rapidly; yet many companies are not assigning accountability or ownership to the management of IoT risks.
- Staffing and budgets are not adequate to manage third party IoT risks.
- Third party risk management (TPRM) programs should include IoT risks in order to evolve and mature their practices.
- IoT risk assessment and due diligence must move from TRUST assurance to VERIFY control validation techniques.
- Companies should be prepared for IoT regulatory oversight to rise.
- Most companies do not conduct employee training programs on the risks created by IoT devices.
Founded in 2002 by Dr. Larry Ponemon and Susan Jayson, Ponemon Institute conducts independent research on data protection and emerging information technologies. Ponemon Institute is the parent organization of the Responsible Management (RIM) Council. The RIM Council draws its name for the practice of Responsible Information Management, an ethics-based framework and long-term strategy for managing personal and sensitive employee, customer and business information. Members of the RIM Council represent a cross-section of Fortune 500 companies and are champions of privacy and data protection in their organizations.
A complete copy of the study can be downloaded here.
Edited by
Ken Briodagh
