IoT
4/6/2018
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Businesses Fear 'Catastrophic Consequences' of Unsecured IoT

Only 29% of respondents in a new IoT security survey say they actively monitor the risk of connected devices used by third parties.

Businesses' concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and it's posing a threat to sensitive and confidential data, researchers report.

The new survey, conducted by the Ponemon Institute and commissioned by Shared Assessments, polled 605 people who work in risk and corporate governance and who are familiar with their organization's use of IoT devices. Of these, 21% say their business suffered a data breach directly resulting from an unsecured IoT device or application — up from 15% last year.

Connected devices are cluttering the enterprise. Forty-four percent of experts polled say their organization keeps an inventory of IoT devices, and the average number of devices in the workplace is 15,874. Sixty percent of respondents say their business considers IoT devices to be endpoints to their networks or enterprise systems.

"There's an almost universal recognition that the risk associated with IoT devices and apps could create a catastrophic security incident," says Charlie Miller, senior VP of Shared Assessments, echoing the thoughts of 97% of survey respondents.

"The experience they're having with regard to data breaches and attacks is really heightening their awareness," he continues. "The IoT device spectrum represents an increase of that threat vector. There's a fear … that it creates an almost perfect storm for them to be attacked through additional vectors." Yet the data shows businesses aren't taking steps to protect themselves.

More than half (56%) of businesses don't inventory their IoT devices. Of these, 88% say the reason is because there is no centralized control over these devices and applications. Less than 20% say they their organizations can identify a majority of IoT devices in the workplace.

The Danger of Third-Party Risk

As the IoT grows, so does the risk of third-party devices. While businesses are being more diligent about monitoring IoT devices used internally, they often fail to recognize the risk of external devices.

More than 70% of respondents say their business considers third-party risk a serious threat to their valuable assets; 66% claim the importance of the IoT ecosystem significantly increases third-party risk. The number of vendors makes it difficult to manage the complexities of IoT platforms, according to 44%.

Most businesses rely on contract clauses and policies to mitigate third-party IoT risk. More than half (53%) use contractual agreements, and 46% say they have a policy to disable IoT devices that might pose a risk. Even so, less than half can monitor third-party compliance, and nearly 60% say it's not possible to determine whether IoT and third-party safeguards are sufficient. Only 29% say their organizations actively monitor the risk of IoT devices used by third parties.

"There is a big disconnect," says Miller. "We still see immaturity in the third-party risk management IoT space."

Indeed, 77% of businesses believe that within the next two years they'll get hit with a cyberattack caused by a third party's unsecured IoT devices or applications. Three-quarters think they'll experience a data breach. However, 35% don't know if they can detect a third-party breach, and 26% are unsure if their business was affected by a cyberattack involving an IoT device.

Where Risk Management Falls Short

This isn't to say businesses don't have third-party risk management programs; on the contrary, 60% of them do. However, only 28% of these say their programs are highly effective, and most aren't ready to address the risk of IoT devices.

Part of the problem is a gap between those who approve the use of IoT devices and those who manage the risk. Forty-three percent of respondents say the general manager/line-of-business VP approves IoT devices, but 35% say they manage the risk of those devices.

"Typically, it's a federated model," says Miller. "There is a third-party risk management group that oversees, reaches out to control groups, and coordinates responses and gets subject matter experts." Only 49% of businesses have a third-party risk management committee.

Researchers found that the most important risk governance practice is getting leadership on board. Only 17% of businesses report their board of directors has a high engagement and understanding of security risks related to vendors and third parties. Less than 40% say C-level executives believe they are accountable for the effectiveness of the risk management process.

How should businesses shape their risk management programs? Miller advises upgrading inventory systems so you can recognize all devices being used internally and externally. He also suggests assigning someone to be responsible for IoT and communicating that responsibility across the organization.

"Reliance on contract security policies is good, but we need a mechanism to ensure monitoring those requirements is effective and taking place so outliers are identified and mitigated," he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17283
PUBLISHED: 2018-09-21
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Inject...
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.