Only 37% of high performing organizations monitor the risk of IoT devices used by third parties, and current IoT risk management programs fail to keep up with the study.
Image: Getty Images / iStockphoto
According to the Ponemon Institute's fourth annual IoT study and shared assessments, most companies don't know what options are available to track and protect their third-party Internet of Things (IoT) providers. The report provided new insights into the increasing use of IoT devices in supply chains and the resulting risk.
Experts were interviewed, whose primary responsibility lies in the third party risk management (TPRM) of their organization, and were given insights into the state and "thinking" of the business in relation to TPRM.
SEE: Research: Why industrial IoT deployments are increasing (TechRepublic Premium)
It is also very evident that there is an "acute need to improve IoT risk management" as a company's current IoT risk management programs chase increasing risks. Only 37% track third-party IoT exposure and 61% forecast IoT-related data loss.
SEE: Inside UPS: The infinite digital transformation of the logistics company (free PDF) (TechRepublic)
"Many of the better performers in this year's study still have some way to go to achieve the level of IoT security hygiene that we all want," said Gary Roboff, Santa Fe Group's senior advisor, Shared Assessments.
The report highlighted the critical need to increase accountability, authority and engagement within the company, particularly those who lead the TPRM department.
Picture: Ponemon / SharedAssessments
Small but significant changes in four years
The report, A New Roadmap for Third Party IoT Risk Management, included a graph that shows the differences between 2017, 2018, 2019 and 2020 in terms of IoT and TPRM. This year definitely shows an increase. Responses to "The rise of the Internet of Things significantly increases the risk of third parties for my company" showed approval of 71% for 2020, 68% for 2019 and 66% for 2018 (2017 figures were not available).
A large number of organizations agreed that "it is not possible to determine whether third-party safeguards and IoT security policies are sufficient to prevent data breaches," and the results were 59% in 2020, 55% in 2019, 58 in 2018 % and 2018 56% in 2017.
The report exacerbated the problem and found that the problem was caused by the following factors: Major expansion of IoT devices Lack of a centralized IoT risk management program Lack of involvement of the highest authority
Picture: Ponemon / SharedAssessments
Even the most powerful companies need to improve their IoT risk management skills, and about 25% said that these more powerful companies "implement and apply leading risk management practices to the use of IoT much more frequently".
Research is, of course, a good way to focus on the challenges of risk management within the increasingly complex IoT ecosystem.
IoT increases will continue
Respondents expect the number of IoT devices they rely on to double in the next few years, although most respondents said that unsecured IoT devices are increasingly "materially disruptive." However, almost six out of ten say they do not know whether their third-party controls can actively meet their needs.
With the growing number of IoT devices, bad actors are more likely to access a company's sensitive data, and the result is that IoT risk management becomes a "very complicated" undertaking. And so many IoT devices can enable distributed denial of service (DDoS) attacks that make the risk mitigation schedule even more pressing.
Know the type of security that your company has
There is a general lack of knowledge or tools to indicate which IoT device is adequately secure, and how many actual violations and cyber attacks are associated with IoT devices is likely to be much higher than the number of events reported.
SEE: IoT: Important threats and security tips for devices (free PDF) (TechRepublic)
Groups that identify themselves as "more powerful" (164 are referred to as such) make up around 33% of those surveyed and rate their own ability to manage IoT and other third-party risks as "highly effective". However, this shows that I0T hygiene practices in the vast majority of companies need to be significantly improved
"As the proliferation and consumerization of embedded technologies, including IoT devices, continues to evolve, new security gaps and risks are being introduced," said Rocco Grillo, general manager of global cyber risk services at Alvarez & Marsal. "This is especially true when the use of IoT devices is extended to third parties, fourths or even more, when it is not known where the use of IoT devices is expanded or these extensions are not managed."
Technical messages You can use newsletters
We deliver the best business tech news about the companies, people and products that are revolutionizing the planet.
Sign up today