The Internet of Things (IoT) and Industrial IoT (IIoT) are beginning to see some real momentum, particularly in industries such as manufacturing, healthcare, and retail. More and more devices, equipment, vehicles, buildings, and other objects are being equipped with sensors and connected, enabling the sharing of data that provides useful insights for businesses.
Security has always been a concern with IoT, and that has not gone away as more organizations launch projects. In fact, security issues are likely to become even more complex as businesses work with partners throughout their supply chains in efforts to create “smarter” environments and more efficient processes.
A new report from research firm Ponemon Institute and the Shared Assessments Program, a group of risk management authorities, emphasizes the “acute need for IoT risk management improvement, as most organizations do not know what tracking and safeguards their third parties have in place.”
The study, “Third Party Internet of Things Risk Management,” said current IoT risk management programs are not keeping pace with the dramatic increase in IoT-related risks. This is a shortcoming that represents a clear and expanding threat to most organizations, it said.
The IoT risk problem is fueled by the steep expansion in connected devices, the lack of a centralized IoT risk management program, and the lack of senior-most authority’s involvement, the report said.
“The soaring number of IoT devices that can provide access to sensitive organizational data conspire to make IoT risk management a highly convoluted undertaking,” the study noted. “In addition, the availability of an increasing number of IoT devices to exacerbate distributed denial of service attacks adds even greater urgency to the risk mitigation timeline.”
As part of its research, Ponemon Institute surveyed 630 individuals at companies of all sizes and across most industries who are familiar with the use of IoT devices in their organization and participate in corporate governance or risk oversight activities. Of the total sample, 164 respondents self-identified as “higher performer” with regard to IoT risk (they are significantly more likely to implement leading risk management practices and apply them to IoT use), while 466 did not.
Ponemon Institute notes that the survey was conducted in November 2019, prior to the Covid-19 pandemic, and as such does not include any risks related to IoT devices that might be used to support individuals working from home. Therefore, no consumer IoT devices or applications were included in responses provided.
Based on the results, even the high-performing organizations need to enhance many aspects of their IoT risk management capabilities, according to the report.
Clearly, the gap between understanding and practice needs to be closed, said Charlie Miller, senior advisor at the Santa Fe Group, a strategic advisory firm and part of the Shared Assessments Program.
“The study underscores a major disconnect between the authority and involvement that survey respondents say is needed from their boards of directors, and the actual governance exhibited today,” Miller said. “It’s increasingly imperative that organizations get ahead of the problem and address IoT risks before a major disruptive event, not after one.”
As this study makes clear, swift improvements are needed throughout most IoT risk management programs and third-party risk management (TPRM) in general. The areas where improvements are needed include governance, risk and asset management practices, and resource allocation.
Survey respondents expect the number of IoT devices they rely on to effectively double with the next two years. Most of the respondents indicated that unsecured IoT devices are increasingly likely to have materially disruptive consequences; yet nearly 60% also acknowledge they do not know whether third-party controls are adequate.
With most of the organizations reporting a lack of awareness and adequate tools to identify which IoT devices have appropriate security, the number of actual breaches and cyber attacks linked to IoT devices is likely significantly higher than the number of events reported.
The group of self-proclaimed higher performers rate their ability to manage IoT and other third-party risks as “highly effective.” This indicates that IoT hygiene practices in the vast majority of organizations need significant improvement, the study said.
The report recommended several steps for improving IoT risk mitigation:
Organizations need to bridge the gap between understanding and practice. Current IoT risk governance is characterized by inadequate risk management structures, resources, attention, and mitigation techniques.
They need to develop a stronger risk culture. Individuals throughout the IoT ecosystem should better understand the threats posed by the technology, and organizations must ensure that IoT security is taken seriously by management at all levels.
They also need more IoT risk management accountability. A mature IoT risk management structure is essential to ensuring that the security of the IoT technologies meets defined risk tolerances.
Finally, organizations need more effective IoT control validation paradigm structured on a “trust, but verify” model. Today, companies rely on third-party contracts and policy reviews, placing attention on the trust element of IoT controls without adequate verification.