In spite of growing awareness, the study demonstrates that IoT risk management capabilities still require significant upgrades within nearly all companies.
Risk management is a discipline that covers just about every area you can think of across the enterprise, from information technology systems to data security to workers’ compensation claims. However, enterprises are only starting to wake up the potential risks they face from the Internet of Things (IoT). We’re talking about more than 40 million devices connected to businesses within the next five years.
Let’s face it, a good chunk of the IoT consists of edge devices and data maintained by others, outside the corporate walls. We hope these outside parties pay attention to the upkeep of their devices, and the quality of data they are delivering. Part of that reliance is for security as well, and this is where the IoT gets tricky.
See also: IoT Security Remains a Top Concern
In spite of growing awareness, the study demonstrates that IoT risk management capabilities in the workplace and among third parties still require significant upgrades across all industries and within nearly all companies.
This is the takeaway from the Ponemon Institute’s Third Party Internet of Things (IoT) Risk Management study, which surveyed 630 executives, of whom three-quarters acknowledge that third-party IoT risks pose a serious threat to their high-value data assets.
Known data breaches caused by unsecured devices have doubled since 2017, the Ponemon report states. In addition, close to nine out of 10 survey respondents expect their company to experience a cyber attack or data breach caused by unsecured IoT devices or applications in the next two years.
In addition, there is a strong need for identifying and implementing best practices in this space — most respondents, 74%, report that their IoT risk management programs are failing to keep pace with the risks posed by the ubiquitous use of IoT devices both internally and externally.
The Ponemon report’s authors make the following recommendations for ensuring greater security across the IoT spectrum:
Bridge the gap between understanding and practice. “Current IoT risk governance is characterized by inadequate risk management structures, resources, attention, and mitigation techniques. All of these shortcomings reveal IoT vulnerabilities both within outsourcing organizations and among their third parties.”
Develop a stronger risk culture. “Individuals throughout the IoT ecosystem should better understand the threats posed by the technology. Organizations need to ensure that IoT security is taken seriously by management at all levels — up to and including governing boards.”
Adopt greater accountability for IoT risks. “A mature IoT risk management structure is essential to ensure that the security of the IoT technologies meets defined risk tolerances. The threat landscape presented by the IoT ecosystem is expanding rapidly, yet too few companies have assigned accountability and ownership of IoT-related oversight across their organizations — and few boards are challenging organizational leaders to do so.”
Put more effective IoT control evaluation in place. “A move is needed toward a control validation paradigm that is structured on a ‘trust-but-verify’ model. Today, companies rely on third-party contracts and policy reviews, placing attention on the Trust element of IoT device and application controls without adequate verification.”