As companies inch closer to engaging in the Internet of Things (IoT), there is a level of fear creeping in accompanied by a lack of understanding just what to do when it comes to third parties, a new report found.
Respondents were asked to evaluate their perception of IoT risks, the state of current third party risk management programs, as well as current governance practices to defend against cyberattacks, according to the parameters of the Ponemon Institute survey.
The goal of the report was to understand organizations’ level of awareness and preparedness for the upcoming IoT wave.
The Ponemon Institute surveyed 553 people in various industries, who have a role in the risk management processes within their organizations and found:
• 76 percent say a distributed denial of services (DDoS) attack involving an unsecured IoT device is likely to occur within the next two years.
• 94 percent of those surveyed noted a security incident related to unsecured IoT devices or applications could be catastrophic.
• 69 percent of respondents do not keep their chief executive and board informed about the effectiveness of the third-party risk management program.
• 44 percent said their organization has the ability to protect their network or enterprise systems from risky IoT devices.
• 77 percent of respondents are not considering IoT-related risks in their third party due diligence.
• 67 percent of those surveyed are not evaluating IoT security and privacy practices before engaging in a business relationship.
“More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyberattacks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “What’s shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments.”
Participants in the study said they are aware IoT introduces new security risks and vulnerabilities into their organizations.
“From our research findings, it appears only 25 percent of respondents say that their boards require assurances that IoT risks are being assessed, managed and monitored appropriately. This leaves opportunity and need for board education and oversight best practices,” said Catherine Allen, chairman and chief executive of The Santa Fe Group, and corporate board director.
Other efforts to mitigate third party risks in the IoT ecosystem are lagging. Companies are relying on legacy technologies and governance practices to address potential threat vectors, with 94 percent indicating they still use a traditional network firewall to mitigate threats, according the research. Such risks include the ability of criminals to harness IoT devices, botnets to attack infrastructure and launch points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities.
“Ready or not, IoT third party risk is here. Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever,” said Charlie Miller, senior vice president with the Shared Assessments Program, which sponsored the survey. “In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats. New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution.”
Click here to register to download the report.