Survey: Organizations Struggle to Deal With IoT Security Risks

By Edward Gately

News

A new survey shows a high rate of concern among organizations about the security of the Internet of Things (IoT), yet a gap in understanding how to mitigate and communicate the risks, especially as it relates to third parties.

That’s according to “The Internet of Things (IoT): A New Era of Third Party Risk" by the Ponemon Institute and the Shared Assessments Program. The annual survey included more than 550 people in industries such as financial services, health care and others, who have a role in the risk management processes within their organizations.

Charlie Miller, senior vice president at Shared Assessments/The Santa Fe Group, tells Channel Partners that IT professionals have an important opportunity to educate their boards about the importance of IoT risk management, both within the four walls of their organization and with third parties who provide support for critical activities.

“Making IoT security an important part of organizational risk culture from the top down will make it far easier to obtain the right resources (both people and dollars) to build an effective IoT risk management program," he said. “Headline-making, IoT-enabled distributed denial of service (DDoS) attacks should reinforce the risk magnitude. IT professionals are uniquely equipped, and have enormous experience in integrating technologies into business processes and operations to ensure the appropriate controls are in place. Educating critical stakeholders and to reinforce the urgency of stepping up IoT risk management efforts is clearly a role that IT channel can participate and as appropriate lead industry IoT standards and collaboration efforts."

Among the key findings:

Seventy-six percent said a DDoS attack involving an unsecured IoT device is likely to occur within the next two years.

Ninety-four percent said a security incident related to unsecured IoT devices or applications could be catastrophic.

Sixty-nine percent do not keep their CEO and board informed about the effectiveness of the third-party risk management program.

Only 44 percent said their organization has the ability to protect their network or enterprise systems from risky IoT devices.

Seventy-seven percent are not considering IoT-related risks in their third party due diligence.

Sixty-seven percent are not evaluating IoT security and privacy practices before engaging in a business relationship.

Participants in the study indicated they are ...