IoT
4/6/2018
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Businesses Fear 'Catastrophic Consequences' of Unsecured IoT

Only 29% of respondents in a new IoT security survey say they actively monitor the risk of connected devices used by third parties.

Businesses' concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and it's posing a threat to sensitive and confidential data, researchers report.

The new survey, conducted by the Ponemon Institute and commissioned by Shared Assessments, polled 605 people who work in risk and corporate governance and who are familiar with their organization's use of IoT devices. Of these, 21% say their business suffered a data breach directly resulting from an unsecured IoT device or application — up from 15% last year.

Connected devices are cluttering the enterprise. Forty-four percent of experts polled say their organization keeps an inventory of IoT devices, and the average number of devices in the workplace is 15,874. Sixty percent of respondents say their business considers IoT devices to be endpoints to their networks or enterprise systems.

"There's an almost universal recognition that the risk associated with IoT devices and apps could create a catastrophic security incident," says Charlie Miller, senior VP of Shared Assessments, echoing the thoughts of 97% of survey respondents.

"The experience they're having with regard to data breaches and attacks is really heightening their awareness," he continues. "The IoT device spectrum represents an increase of that threat vector. There's a fear … that it creates an almost perfect storm for them to be attacked through additional vectors." Yet the data shows businesses aren't taking steps to protect themselves.

More than half (56%) of businesses don't inventory their IoT devices. Of these, 88% say the reason is because there is no centralized control over these devices and applications. Less than 20% say they their organizations can identify a majority of IoT devices in the workplace.

The Danger of Third-Party Risk

As the IoT grows, so does the risk of third-party devices. While businesses are being more diligent about monitoring IoT devices used internally, they often fail to recognize the risk of external devices.

More than 70% of respondents say their business considers third-party risk a serious threat to their valuable assets; 66% claim the importance of the IoT ecosystem significantly increases third-party risk. The number of vendors makes it difficult to manage the complexities of IoT platforms, according to 44%.

Most businesses rely on contract clauses and policies to mitigate third-party IoT risk. More than half (53%) use contractual agreements, and 46% say they have a policy to disable IoT devices that might pose a risk. Even so, less than half can monitor third-party compliance, and nearly 60% say it's not possible to determine whether IoT and third-party safeguards are sufficient. Only 29% say their organizations actively monitor the risk of IoT devices used by third parties.

"There is a big disconnect," says Miller. "We still see immaturity in the third-party risk management IoT space."

Indeed, 77% of businesses believe that within the next two years they'll get hit with a cyberattack caused by a third party's unsecured IoT devices or applications. Three-quarters think they'll experience a data breach. However, 35% don't know if they can detect a third-party breach, and 26% are unsure if their business was affected by a cyberattack involving an IoT device.

Where Risk Management Falls Short

This isn't to say businesses don't have third-party risk management programs; on the contrary, 60% of them do. However, only 28% of these say their programs are highly effective, and most aren't ready to address the risk of IoT devices.

Part of the problem is a gap between those who approve the use of IoT devices and those who manage the risk. Forty-three percent of respondents say the general manager/line-of-business VP approves IoT devices, but 35% say they manage the risk of those devices.

"Typically, it's a federated model," says Miller. "There is a third-party risk management group that oversees, reaches out to control groups, and coordinates responses and gets subject matter experts." Only 49% of businesses have a third-party risk management committee.

Researchers found that the most important risk governance practice is getting leadership on board. Only 17% of businesses report their board of directors has a high engagement and understanding of security risks related to vendors and third parties. Less than 40% say C-level executives believe they are accountable for the effectiveness of the risk management process.

How should businesses shape their risk management programs? Miller advises upgrading inventory systems so you can recognize all devices being used internally and externally. He also suggests assigning someone to be responsible for IoT and communicating that responsibility across the organization.

"Reliance on contract security policies is good, but we need a mechanism to ensure monitoring those requirements is effective and taking place so outliers are identified and mitigated," he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.