Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
4/6/2018
04:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Businesses Fear 'Catastrophic Consequences' of Unsecured IoT

Only 29% of respondents in a new IoT security survey say they actively monitor the risk of connected devices used by third parties.

Businesses' concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and it's posing a threat to sensitive and confidential data, researchers report.

The new survey, conducted by the Ponemon Institute and commissioned by Shared Assessments, polled 605 people who work in risk and corporate governance and who are familiar with their organization's use of IoT devices. Of these, 21% say their business suffered a data breach directly resulting from an unsecured IoT device or application — up from 15% last year.

Connected devices are cluttering the enterprise. Forty-four percent of experts polled say their organization keeps an inventory of IoT devices, and the average number of devices in the workplace is 15,874. Sixty percent of respondents say their business considers IoT devices to be endpoints to their networks or enterprise systems.

"There's an almost universal recognition that the risk associated with IoT devices and apps could create a catastrophic security incident," says Charlie Miller, senior VP of Shared Assessments, echoing the thoughts of 97% of survey respondents.

"The experience they're having with regard to data breaches and attacks is really heightening their awareness," he continues. "The IoT device spectrum represents an increase of that threat vector. There's a fear … that it creates an almost perfect storm for them to be attacked through additional vectors." Yet the data shows businesses aren't taking steps to protect themselves.

More than half (56%) of businesses don't inventory their IoT devices. Of these, 88% say the reason is because there is no centralized control over these devices and applications. Less than 20% say they their organizations can identify a majority of IoT devices in the workplace.

The Danger of Third-Party Risk

As the IoT grows, so does the risk of third-party devices. While businesses are being more diligent about monitoring IoT devices used internally, they often fail to recognize the risk of external devices.

More than 70% of respondents say their business considers third-party risk a serious threat to their valuable assets; 66% claim the importance of the IoT ecosystem significantly increases third-party risk. The number of vendors makes it difficult to manage the complexities of IoT platforms, according to 44%.

Most businesses rely on contract clauses and policies to mitigate third-party IoT risk. More than half (53%) use contractual agreements, and 46% say they have a policy to disable IoT devices that might pose a risk. Even so, less than half can monitor third-party compliance, and nearly 60% say it's not possible to determine whether IoT and third-party safeguards are sufficient. Only 29% say their organizations actively monitor the risk of IoT devices used by third parties.

"There is a big disconnect," says Miller. "We still see immaturity in the third-party risk management IoT space."

Indeed, 77% of businesses believe that within the next two years they'll get hit with a cyberattack caused by a third party's unsecured IoT devices or applications. Three-quarters think they'll experience a data breach. However, 35% don't know if they can detect a third-party breach, and 26% are unsure if their business was affected by a cyberattack involving an IoT device.

Where Risk Management Falls Short

This isn't to say businesses don't have third-party risk management programs; on the contrary, 60% of them do. However, only 28% of these say their programs are highly effective, and most aren't ready to address the risk of IoT devices.

Part of the problem is a gap between those who approve the use of IoT devices and those who manage the risk. Forty-three percent of respondents say the general manager/line-of-business VP approves IoT devices, but 35% say they manage the risk of those devices.

"Typically, it's a federated model," says Miller. "There is a third-party risk management group that oversees, reaches out to control groups, and coordinates responses and gets subject matter experts." Only 49% of businesses have a third-party risk management committee.

Researchers found that the most important risk governance practice is getting leadership on board. Only 17% of businesses report their board of directors has a high engagement and understanding of security risks related to vendors and third parties. Less than 40% say C-level executives believe they are accountable for the effectiveness of the risk management process.

How should businesses shape their risk management programs? Miller advises upgrading inventory systems so you can recognize all devices being used internally and externally. He also suggests assigning someone to be responsible for IoT and communicating that responsibility across the organization.

"Reliance on contract security policies is good, but we need a mechanism to ensure monitoring those requirements is effective and taking place so outliers are identified and mitigated," he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
CVE-2021-31737
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
CVE-2020-28198
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
CVE-2021-28665
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.