Most IT pros fear IoT cyber attacks. Few are doing anything about it.

A report from Ponemon Research and Shared Assessments suggests a major disconnect when it comes to IoT security
Written by Greg Nichols, Contributing Writer

In a recent survey about IoT security, researchers found that 97 percent of respondents believe unsecured IoT devices could be catastrophic for their organization, yet just 29 percent actively monitor for related third-party risks.

Those are top-line results of a textured report out today that reveals growing awareness about IoT security threats but far-reaching inaction when it comes to defending against third-party related threats.

The authors of the new report, The Internet of Things (IoT): A New Era of Third-Party Risk, are the Ponemon Institute, an independent research firm focused on privacy, data protection, and information security policy, and the Shared Assessments Program, the industry-standard body on third-party risk assurance.

Also: What is your company doing with IoT devices? | Why your business needs to build a digital double | An IoT 'crime harvest' is coming unless security problems are fixed | TechRepublic: 97% of risk pros say IoT cyberattack would be 'catastrophic' for their business

Researchers asked more than 600 respondents about their perception of IoT risks and third-party risk management programs, as well as the strategies being employed by their organizations to defend against IoT-related cyber attacks.

"The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks," said Charlie Miller, Senior Vice President with the Shared Assessments Program, whose organization chose to partner with Ponemon on the new research, following up a similar survey conducted a year ago.

Of striking concern is a lack of clear accountability when it comes to third-party IoT risk management.

A full 38 percent of respondents indicated that nobody in their organization is responsible for reviewing the risk-management policies of third-party vendors, suggesting a troubling leap of faith.

The problem is compounded by the fact that, as many respondents indicated, C-level managers often don't understand cyber-risks related to third-party vendors.

The full report is worth leafing through, but here are some takeaways supplied by Ponemon. These may be useful for building a case for tighter security protocols to manage third-party IoT risk in your organization.

The Awareness of IoT Risks is Increasing as IoT Adoption Continues to Grow

● The average number of IoT devices in the workplace is expected to increase by nearly 9,000 to an average of 24,762 devices.

● 97 percent of respondents say an attack related to unsecured IoT devices could be catastrophic for their organization and 60 percent are concerned the IoT ecosystem is vulnerable to a ransomware attack.

● 81 percent say that a data breach caused by an unsecured IoT device is likely to occur in the next 24 months.

● Only 28 percent say they currently include IoT-related risk as part of the third-party due diligence.

IoT Risk Management Practices Are Uneven

● 49 percent of respondents do not keep an inventory of IoT devices and 56 percent do not keep an inventory of IoT applications, with 85 percent citing this is because of a lack of centralized control over these applications.

● More than half (53 percent) of respondents rely on contractual agreements to mitigate third-party IoT risk, and only 46 percent say they have a policy in place to disable a risky IoT device.

● 60 percent of respondents say their company has a third-party risk management program, but only 29 percent actively monitor for the risk of IoT devices used by third-parties.

The Gap between Internal and Third-Party IoT Monitoring Is Substantial

● 71 percent say their organizations consider third-party risk a serious threat to high value assets, and 60 percent say they have a third-party risk management program.

● 26 percent of respondents admit they are unsure if their organization was affected by a cyber attack involving an IoT device, while 35 percent said they don't know if it would be possible to detect a third-party data breach.

● Almost half of all organizations say they are actively monitoring for IoT device risks within their workplace, but only 29 percent are actively monitoring for third-party IoT device risks.

● However, only 9 percent of respondents say they are fully aware of all the physical objects connected to the internet.

Editorial standards