In a recent report on the future of cybersecurity risks, The Wall Street Journal published a Top 10 list of systems and devices that hackers will attack in the coming decade. Santa Fe Group Senior Advisor Charlie Miller has been talking about most of these targets for years — especially those that connect to the Internet of Things (IoT) — and how these pertain to third party risks.
Miller, the driving force behind the ongoing Shared Assessments/Ponemon Institute IoT risk management research, advocates for closing the gap between those charged with responsibility for managing third party IoT risk and their TPRM and IT security teams and their Boards of Directors. This governance gap is exhibited in many organizations and this disconnect became far more problematic the moment COVID-19 struck.
“The massive shift to working at home during the pandemic has been transformational in terms of IoT risk management,” Miller emphasizes. “Smart refrigerators, thermostats, and baby monitors now pose risks to corporate information security. Those devices usually operate on the same Wi-Fi networks remote workers use to connect to corporate systems and data.”
New IoT risks, as well as the risk from existing IoT as devices used in new industries, are among four TPRM areas that Miller expects practitioners to devote significant resources to in 2021:
- Minding IoT risk management and regulatory gaps: As more state and federal regulators consider updating data security and privacy rules that impact the use of connected devices, Miller is concerned that these requirements will apply primarily to newly manufactured devices – rather than applying to the millions of existing IoT devices that have been retrofitted with connected sensors. Few of those legacy IoT devices — picture a video-recoding system or an elevator — were designed to be long lasting. These devices lack the ability to be conveniently updated with the latest patches, data security, and privacy features. New IoT regulations that neglect these legacy devices would ignore a primary source of IoT risks within organizations and third parties. There are also gaps in IoT risk management knowledge and capabilities within industries where IoT adoption continues to surge, such as health care, retail, and hospitality. “Think about all of the RFID tags used to monitor inventory, manage pricing, and replenish merchandise in a retail environment,” Miller says. “All of those new devices bring with them new risk exposures.” Industries that are relatively new to IoT adoption also tend to transmit unencrypted data — a practice that pervades across just about every sector except financial services.
- Cascading risks: COVID-19’s economic disruptions have intensified TPRM professionals’ focus on the financial health of key suppliers. The pandemic has also raised the stakes on the business continuity management (BCM) and the underlying resilience capabilities of third parties and Nth parties — at a time when geopolitical risks and climate-related risks are increasing. “The need to assess cascading risks will get more attention as questions about the financial viability of companies throughout the supply chain arise due to failures to control those risks,” Miller notes.
- Technology convergence warrants continuous monitoring: IoT is far from the only advanced technology where use, and data usage, is soaring. Artificial intelligence (AI) applications continue to proliferate; 5G cellular networks will greatly increase the volume and speed of data transmissions throughout the world; and quantum computing lurks on the horizon. “The convergence of emerging technologies makes it extremely difficult for companies to keep pace with the amount of data that needs to be assessed and managed from a controls perspective,” Miller explains. “The convergence is driving the need for continuous monitoring approaches and solutions — not only to identify where risks exist, but to mitigate risks as they are identified.” Miller notes that continuous monitoring solutions are beginning to leverage advanced analytics and AI to anticipate potential risks before those threats materialize. He encourages TPRM risk professionals to keep an eye on the event horizon. “We all need to be more attuned to where potential risks, control weaknesses, and vulnerabilities may come from before they strike the organization, including those that originate through third party vendors,” Miller adds. “The largest of those risks need to be escalated through the organization’s governance structure to the chief risk officer and the board.”
- Financial services and insurance industry third party risks hit home: The swift and widespread shift to remote work occurred across all industries during the early weeks of the global pandemic when social distancing and shutdown measures limited in-person contact. Within the TPRM profession, these restrictions prompted a widespread move from onsite verifications to virtual reviews of third parties risk management capabilities. Regulators have yet to catch up to work-from-home models, especially in the insurance industry where states issue compliance requirements. “Relatively few insurance regulators have modified their expectations concerning what controls need to be in place for remote working conditions, or how those controls should be verified virtually,” Miller reports. “In the financial services industry, procurement functions were under intense pressure to get technology in place to support remote operations. Their compliance functions had requirements that were specific to physical corporate environments, which will need to be reconsidered and updated for remote environments.”
As we enter 2021, Miller suggests that TPRM professionals consider several means for reducing IoT related risks including:
- Use software solutions to assist with inventorying, classifying and securing connected IoT devices;
- Implement network segmentation (microsegmentation) to ensure isolation of those smart IoT devices which are running on operating systems that are longer supported. (e.g., Windows 7, 10, ..) and can’t be upgraded for security;
- Ensure you know who owns the procurement and use of IoT in your organization and on the third party’s you are using;
- Prior to purchasing Consumer “Smart” IoT devices verify those devices have adequate security features and are configured (i.e., change default password) prior to connecting them to your home network.