October is Cybersecurity Awareness Month – in step with this first week’s focus on internet-connected devices and “empowering users to own their role in security by taking steps to reduce risks,” this blogpost examines what enterprise organizations need to understand about third-party and supply chain risk in IoT environments. This post offers a list of specific questions Security Leaders and Risk Managers need to ask when purchasing or subscribing to IoT Products and Services. (Our other blogposts supporting Cybersecurity Awareness include “Securing Internet-Connected Devices in Healthcare” and “Future of Connected Devices“.)
Shared Assessments’ A New Roadmap for Third Party IoT Risk Management, a collaborative study with the Ponemon Institute, reports that current IoT risk management programs are not keeping pace with the dramatic increase in IoT-related risks; a shortcoming that represents a clear and expanding threat to most organizations.
With steep expansion in use of IoT devices across all industries, awareness of IoT risks within organizations is relatively high – but that awareness has not translated into sufficient improvements in IoT risk management, specifically in the areas of staff expertise, budget and training both internally and for third parties.
As outsourcers and their third parties have pivoted to Work From Home (WFH) during COVID 19 pandemic, cyber risk vulnerabilities and cyberattacks targeting home-based networks and consumer based IoT devices have increased. (Microsoft’s new annual Digital Defense Report highlights that IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.)
With the growing threat of IoT risk outlined above, what are the potential consequences of not addressing the threat in a strategic fashion? IoT threats including malware, passive wiretapping, war driving, zero-day exploits, undecrypted IoT data transmission and exposure to production networks increase the likelihood of:
To mitigate the potentially negative outcomes of unsecured IoT across the enterprise in normal times and pandemic times, best practices for managing third-party IoT risk are provided below:
Below are the specific questions security leaders and risk managers need to be asking when purchasing/subscribing to IoT products and services: