Businesses' concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and it's posing a threat to sensitive and confidential data, researchers report.
The new survey, conducted by the Ponemon Institute and commissioned by Shared Assessments, polled 605 people who work in risk and corporate governance and who are familiar with their organization's use of IoT devices. Of these, 21% say their business suffered a data breach directly resulting from an unsecured IoT device or application — up from 15% last year.
Connected devices are cluttering the enterprise. Forty-four percent of experts polled say their organization keeps an inventory of IoT devices, and the average number of devices in the workplace is 15,874. Sixty percent of respondents say their business considers IoT devices to be endpoints to their networks or enterprise systems.
"There's an almost universal recognition that the risk associated with IoT devices and apps could create a catastrophic security incident," says Charlie Miller, senior VP of Shared Assessments, echoing the thoughts of 97% of survey respondents.
"The experience they're having with regard to data breaches and attacks is really heightening their awareness," he continues. "The IoT device spectrum represents an increase of that threat vector. There's a fear … that it creates an almost perfect storm for them to be attacked through additional vectors." Yet the data shows businesses aren't taking steps to protect themselves.
More than half (56%) of businesses don't inventory their IoT devices. Of these, 88% say the reason is because there is no centralized control over these devices and applications. Less than 20% say they their organizations can identify a majority of IoT devices in the workplace.
The Danger of Third-Party Risk
As the IoT grows, so does the risk of third-party devices. While businesses are being more diligent about monitoring IoT devices used internally, they often fail to recognize the risk of external devices.
More than 70% of respondents say their business considers third-party risk a serious threat to their valuable assets; 66% claim the importance of the IoT ecosystem significantly increases third-party risk. The number of vendors makes it difficult to manage the complexities of IoT platforms, according to 44%.
Most businesses rely on contract clauses and policies to mitigate third-party IoT risk. More than half (53%) use contractual agreements, and 46% say they have a policy to disable IoT devices that might pose a risk. Even so, less than half can monitor third-party compliance, and nearly 60% say it's not possible to determine whether IoT and third-party safeguards are sufficient. Only 29% say their organizations actively monitor the risk of IoT devices used by third parties.
"There is a big disconnect," says Miller. "We still see immaturity in the third-party risk management IoT space."
Indeed, 77% of businesses believe that within the next two years they'll get hit with a cyberattack caused by a third party's unsecured IoT devices or applications. Three-quarters think they'll experience a data breach. However, 35% don't know if they can detect a third-party breach, and 26% are unsure if their business was affected by a cyberattack involving an IoT device.
Where Risk Management Falls Short
This isn't to say businesses don't have third-party risk management programs; on the contrary, 60% of them do. However, only 28% of these say their programs are highly effective, and most aren't ready to address the risk of IoT devices.
Part of the problem is a gap between those who approve the use of IoT devices and those who manage the risk. Forty-three percent of respondents say the general manager/line-of-business VP approves IoT devices, but 35% say they manage the risk of those devices.
"Typically, it's a federated model," says Miller. "There is a third-party risk management group that oversees, reaches out to control groups, and coordinates responses and gets subject matter experts." Only 49% of businesses have a third-party risk management committee.
Researchers found that the most important risk governance practice is getting leadership on board. Only 17% of businesses report their board of directors has a high engagement and understanding of security risks related to vendors and third parties. Less than 40% say C-level executives believe they are accountable for the effectiveness of the risk management process.
How should businesses shape their risk management programs? Miller advises upgrading inventory systems so you can recognize all devices being used internally and externally. He also suggests assigning someone to be responsible for IoT and communicating that responsibility across the organization.
"Reliance on contract security policies is good, but we need a mechanism to ensure monitoring those requirements is effective and taking place so outliers are identified and mitigated," he says.
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio