October is Cybersecurity Awareness Month – in step with this first week’s focus on internet-connected devices and “empowering users to own their role in security by taking steps to reduce risks,” this blogpost examines what enterprise organizations need to understand about third-party and supply chain risk in IoT environments. This post offers a list of specific questions Security Leaders and Risk Managers need to ask when purchasing or subscribing to IoT Products and Services. (Our other blogposts supporting Cybersecurity Awareness include “Securing Internet-Connected Devices in Healthcare” and “Future of Connected Devices“.)
Shared Assessments’ A New Roadmap for Third Party IoT Risk Management, a collaborative study with the Ponemon Institute, reports that current IoT risk management programs are not keeping pace with the dramatic increase in IoT-related risks; a shortcoming that represents a clear and expanding threat to most organizations.
With steep expansion in use of IoT devices across all industries, awareness of IoT risks within organizations is relatively high – but that awareness has not translated into sufficient improvements in IoT risk management, specifically in the areas of staff expertise, budget and training both internally and for third parties.
As outsourcers and their third parties have pivoted to Work From Home (WFH) during COVID 19 pandemic, cyber risk vulnerabilities and cyberattacks targeting home-based networks and consumer based IoT devices have increased. (Microsoft’s new annual Digital Defense Report highlights that IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.)
With the growing threat of IoT risk outlined above, what are the potential consequences of not addressing the threat in a strategic fashion? IoT threats including malware, passive wiretapping, war driving, zero-day exploits, undecrypted IoT data transmission and exposure to production networks increase the likelihood of:
- Disruption to operations and ability to meet and deliver client services
- Instability of the supply chain
- Reputational and brand damage
- Regulatory fines (NIST, several states including California (California SB-327) and EU laws and regulators call for manufacturers to improve the security of IoT devices prior to their release.)
To mitigate the potentially negative outcomes of unsecured IoT across the enterprise in normal times and pandemic times, best practices for managing third-party IoT risk are provided below:
- Vetting Vendors through IoT Risk Due Diligence Questions
- Clearly defining IoT accountabilities and policies
- Vetting all IoT devices and applications against security standards
- Weeding out insecure devices
- Maintaining a complete IoT inventory, and require third parties to do the same
- Placing IoT devices on dedicated networks and monitoring 24/7
- Including IoT in incident response plans
- Executing a complete IoT due diligence regime for third parties
Below are the specific questions security leaders and risk managers need to be asking when purchasing/subscribing to IoT products and services:
- Has the IoT device been certified?
- Have we performed due diligence on the vendor and examined their IoT hygiene?
- Review Third Party’s written IoT-related policies and procedures.
- Conduct an audit of the vendor’s IoT security and privacy practices.
- Obtain a Third Party Risk Control Self-Assessment (RCSA) control questionnaire (i.e., Due Diligence Questionnaire) that includes IoT-related items.
- Obtain evidence of security certification such as ISO 27001, PCI, NIST, SOC 2 and others.
- Conduct a proprietary onsite or virtual visit to validate control procedures.
- Do we know our IoT inventory?
- Are we sure of the functions the device(s) will perform and the sensitivity of the data to be collected and transferred?