Businesses Fear Catastrophic Consequences of Unsecured IoT

  /     /     /  
Publicated : 22/11/2024   Category : security


Businesses Fear Catastrophic Consequences of Unsecured IoT


Only 29% of respondents in a new IoT security survey say they actively monitor the risk of connected devices used by third parties.



Businesses concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and its posing a threat to sensitive and confidential data, researchers report.
The new survey
, conducted by the Ponemon Institute and commissioned by Shared Assessments, polled 605 people who work in risk and corporate governance and who are familiar with their organizations use of IoT devices. Of these, 21% say their business suffered a data breach directly resulting from an unsecured IoT device or application — up from 15% last year.
Connected devices are cluttering the enterprise. Forty-four percent of experts polled say their organization keeps an inventory of IoT devices, and the average number of devices in the workplace is 15,874. Sixty percent of respondents say their business considers IoT devices to be endpoints to their networks or enterprise systems.
Theres an almost universal recognition that the risk associated with IoT devices and apps could create a catastrophic security incident, says Charlie Miller, senior VP of Shared Assessments, echoing the thoughts of 97% of survey respondents.
The experience theyre having with regard to data breaches and attacks is really heightening their awareness, he continues. The IoT device spectrum represents an increase of that threat vector. Theres a fear … that it creates an almost perfect storm for them to be attacked through additional vectors. Yet the data shows businesses arent taking steps to protect themselves.
More than half (56%) of businesses dont inventory their IoT devices. Of these, 88% say the reason is because there is no centralized control over these devices and applications. Less than 20% say they their organizations can identify a majority of IoT devices in the workplace.
The Danger of Third-Party Risk
As the IoT grows, so does the risk of third-party devices. While businesses are being more diligent about monitoring IoT devices used internally, they often fail to recognize the risk of external devices.
More than 70% of respondents say their business considers third-party risk a serious threat to their valuable assets; 66% claim the importance of the IoT ecosystem significantly increases third-party risk. The number of vendors makes it difficult to manage the complexities of IoT platforms, according to 44%.
Most businesses rely on contract clauses and policies to mitigate third-party IoT risk. More than half (53%) use contractual agreements, and 46% say they have a policy to disable IoT devices that might pose a risk. Even so, less than half can monitor third-party compliance, and nearly 60% say its not possible to determine whether IoT and third-party safeguards are sufficient. Only 29% say their organizations actively monitor the risk of IoT devices used by third parties.
There is a big disconnect, says Miller. We still see immaturity in the third-party risk management IoT space.
Indeed, 77% of businesses believe that within the next two years theyll get hit with a cyberattack caused by a third partys unsecured IoT devices or applications. Three-quarters think theyll experience a data breach. However, 35% dont know if they can detect a third-party breach, and 26% are unsure if their business was affected by a cyberattack involving an IoT device.
Where Risk Management Falls Short
This isnt to say businesses dont have third-party risk management programs; on the contrary, 60% of them do. However, only 28% of these say their programs are highly effective, and most arent ready to address the risk of IoT devices.
Part of the problem is a gap between those who approve the use of IoT devices and those who manage the risk. Forty-three percent of respondents say the general manager/line-of-business VP approves IoT devices, but 35% say they manage the risk of those devices.
Typically, its a federated model, says Miller. There is a third-party risk management group that oversees, reaches out to control groups, and coordinates responses and gets subject matter experts. Only 49% of businesses have a third-party risk management committee.
Researchers found that the most important risk governance practice is getting leadership on board. Only 17% of businesses report their board of directors has a high engagement and understanding of security risks related to vendors and third parties. Less than 40% say C-level executives believe they are accountable for the effectiveness of the risk management process.
How should businesses shape their risk management programs? Miller advises upgrading inventory systems so you can recognize all devices being used internally and externally. He also suggests assigning someone to be responsible for IoT and communicating that responsibility across the organization.
Reliance on contract security policies is good, but we need a mechanism to ensure monitoring those requirements is effective and taking place so outliers are identified and mitigated, he says.
Related Content:
Sears & Delta Airlines Are Latest Victims of Third-Party Security Breach
Supply Chain Attacks Could Pose Biggest Threat to Healthcare
How to Build a Cybersecurity Incident Response Plan
Four Gas Pipeline Firms Hit in Attack on Their EDI Service Provider
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda 
here
. Register with Promo Code DR200 and save $200.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Businesses Fear Catastrophic Consequences of Unsecured IoT