Authorities on Risk Assurance
The Shared Assessments Blog
In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are at the grocery store. The era of connectivity and immediacy of data has created a new worldwide web out of normal everyday devices. The concept of “Internet of Things” or IoT, has created functionality and convenience, but can also introduce new risks to our ecosystem.
Common definitions of IoT include (from Wikipedia) “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data” and (from OWASP), “the proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data”. IoT is a game changer to consumerism, but also a game changer to the hacktivist. It changes our thinking about risk in typically non-risky areas of our lives, or of our workplace.
Identifying risks in the IoT ecosystem and managing or mitigating them can be daunting for the risk professional. The norms of criticality, materiality, and critical infrastructure don’t equate when the risk is in a benign system or device. Dealing with these risks impacts not only the organizations’ who leverage technology but requires organizations to adopt their viewpoints on third party risk.
This past month a joint research project by the Ponemon Institute and Shared Assessments Program was released to focus on the Internet of Things: A New Era of Third-Party Risk. The report highlights are shown in this infographic. The sheer volume or proliferation of connective devices is expected to double in two years; creating more challenges on how to monitor and contain risk. Key themes that emerged from the survey show the concerns risk professionals face:
- 78% believe loss or theft of data could be caused by IoT
- 76% think a cyber-attack could be executed through IoT
- 69% of risk managers don’t regularly report to the C-Suite and Board the effectiveness or maturity of third-party risk oversight programs.
Some of the challenges in enabling security for IoT requires a multi-layered approach. Not all organizations consider IoT devices to be endpoints and may not be monitored, inventoried, or tracked like asset management. Technology will evolve, as do controls. Key areas of focus to assist with maturity risk management for IoT include:
- Integrate IoT into third party risk management reporting
- Enhance asset management processes and inventory systems
- Assess contracts and policies
- Expand third party controls to identify risks/controls unique to IoT devices
- Broaden security and awareness training to include IoT themes
Web site standards have long been developed by industry groups, and collaboration to enhance the world-wide web. The OWASP top 10 threats have been table stakes in securing traditional web applications and eCommerce sites. When I first started in web development and eCommerce, the threats we phased were mild in comparison and complexity to our vastly connected world today. The OWASP group has expanded their tool sets and risk focus as IoT has evolved and they have created the OWASP Internet of Things Project to provide free tools to industry members on how to assess and address the risks of IoT.
We need to continue to embrace technology – the advances make up for the risks, it simply requires industry collaboration and the evolution of our risk viewpoints and perspectives, to ensure we look at risk and third party risk from a multi-dimensional point of view.
The full survey report can be downloaded from www.sharedassessments.org.
OWASP tools can be seen at https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project.
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs