Unsecured third-party IoT devices could pose major risks for organizations
According to new research, 97 percent believe unsecured IoT devices could be catastrophic for their organization, yet just 29 percent actively monitor for related third-party risks.
The study conducted by the Ponemon Institute and risk assurance body Shared Assessments shows 81 percent of respondents say that a data breach caused by an unsecured IoT device is likely to occur in the next two years.
The average number of IoT devices in the workplace is expected to increase to an average of 24,762 devices, up from 15,874 last year. Yet 49 percent of respondents don't keep an inventory of IoT devices and 56 percent don’t keep an inventory of IoT applications. 85 percent say this is because of a lack of centralized control over these applications.
60 percent are concerned the IoT ecosystem is vulnerable to a ransomware attack, yet more than half (53 percent) of respondents rely on contractual agreements to mitigate third-party IoT risk, and only 46 percent say they have a policy in place to disable a risky IoT device.
There are also some worrying findings surrounding third-party IoT devices. 26 percent of respondents admit they are unsure if their organization has been affected by a cyber attack involving an IoT device, while 35 percent say they don't know if it would be possible to detect a third-party data breach. Almost half of all organizations say they are actively monitoring for IoT device risks within their workplace, but only 29 percent are actively monitoring for third-party IoT device risks. Only nine percent of respondents say they are fully aware of all the physical objects connected to the internet.
"The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks," says Charlie Miller, senior vice president with the Shared Assessments Program. "We partnered with the Ponemon Institute to once again uncover the gaps and complexities associated with IoT third-party risk management practices and to see what's changed over the past year. We found that while there's an increasing awareness about third-party IoT risks, much more work needs to be done to ensure controls minimize the risks these devices pose. With the increasing number of major data breaches, ransomware, and distributed denial of service attacks in the news daily, and senior executives losing their jobs as a result, it's critical that organizations assign accountability and ownership of IoT-related oversight across their organization, ensure that IoT security is taken seriously and educate management at all levels."
Participants in the study indicated that C-level management does not fully understand the risk related to IoT devices used by third-party vendors and only 17 percent of respondents say their organizations' board of directors has a high engagement and understanding of cyber risks relating to vendors or third-parties.
You can read more about the findings in the full report available from the Shared Assessments site.