Organizations Don’t Know What They Don’t Know About Internet of Things Risk
In a chilling interrogation video, a suspect describes hacking into Silicon Valley startup Aupticon via a third party weak point and an inviting Internet of Things (IoT) security hole. “They scanned most of the network,” he says matter-of-factly. “They didn’t scan the thermostat.” The hacker also notes that he scored 75 bitcoins (north of $800,000 at today’s exchange rate) for swiping and selling proprietary blueprints stored on the self-driving car company’s server.
Happily, the episode is fictional. Cisco produced this video dramatization, “Anatomy of an IoT attack,” to draw attention to the magnitude of IoT risks. Far more attentiveness and stronger IoT risk management practices are needed, judging from the Ponemon Institute’s annual study of third party IoT risk. The survey’s findings show that executives with corporate governance and risk oversight responsibilities are largely unaware of the extent to which IoT risks pose to their companies and to their third party partners.
If this comes as a surprise, you’re hardly alone.
What Companies Don’t Know about IoT Risks.
Ponemon Institute’s research defines IoT as the physical objects – such as network-connected printers, building automation solutions or thousands of other “things” – embedded with electronics, software, sensors and network connectivity, which enable these objects to collect, monitor and exchange data. The 2019 survey findings are based on responses from 625 individuals who participate in corporate governance and/or risk oversight activities and who are familiar with or have responsibilities in managing third party risks associated with the use of IoT devices in their organization. All organizations that participated in this research have a third party risk management program and an enterprise risk management program.
Despite having these capabilities in place, the survey findings show that IoT risk management tends to get short shrift within companies and among organizations’ third-party vendors. Some of the most notable trends the study examines include:
3 Ways to Mitigate IoT Risks
Those and other IoT risk management shortcomings should be addressed quickly. Fortunately, survey respondents appear aware of this need: 84 percent of respondents indicate that it is “very likely” that their company will experience a data breach caused by an IoT device or application. Plus, organizations have notched commendable progress in managing third party IoT risk during the past three years. Only one-third of respondents to our 2017 survey indicated that they evaluated IoT security and privacy practices within third parties before engaging them; this year, 40 percent of respondents say their companies do so.
Still, more progress is needed. Happily, the steps required to improve IoT risk management inside companies and among third parties are relatively straightforward. One of the most important steps involves treating IoT assets and the risks they pose in a similar manner to how organizations manage other IT assets and their attendant risks:
By drawing attention to IoT risks in the organization and among third party partners, decision-makers can help keep their companies far away from one more, rapidly expanding category of content – actual news reports of damaging hacks enabled by IoT security gaps.