If you think your organization is taking oversight of third-party IoT implementations seriously, think again. According to a recent study by security research firm the Ponemon Institute, in conjunction with the Shared Assessments Program, few organizational boards require IoT risk assurances from third parties, providing CIOs a great opportunity to take a leadership position on IoT.
"From our research findings, it appears only 25 percent of respondents say that their boards require assurances that IoT risks are being assessed, managed and monitored appropriately," says Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program, an industry-standard body focused on third-party risk assurance. "This leaves opportunity and need for board education and oversight best practices."
The study, The Internet of Things (IoT): A New Era of Third Party Risk found that 94 percent of respondents believed a security incident related to unsecured IoT devices or applications could be catastrophic to the business â a significant disconnect given that only a quarter of boards require updates on oversight of IoT risks.
Charlie Miller, senior vice president with the Shared Assessments Program, believes those two findings represent a gap in understanding between professionals on the ground and the executive management and board level of organizations.
"We recognize there's risk at the mid- to lower-levels of management," Miller says. "But the messaging is really not getting moved up the chain, so to speak. There's potential for a catastrophic event, but the risks are not dealt with at the board and executive levels of management. That's a big challenge for CIOs to get that messaging presented and articulated at the right levels of management so it can be resourced effectively."
The study, based on a survey of 553 CIOs, CISOs, chief risk officers and others that have a role in risk management processes (in a range of industries) found that:
- 76 percent of respondents believe a distributed denial of service attack involving an unsecured IoT device is likely to occur within the next two years.
- 69 percent of respondents do not keep their CEO and board informed about the effectiveness of the third-party risk management program.
- Only 44 percent say their organization has the ability to protect their network or enterprise systems from risky IoT devices.
- 77 percent are not considering IoT-related risks in their third-party due diligence.
- 67 percent are not evaluating IoT security and privacy practices before engaging in a business relationship.
"More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyberattacks," says Larry Ponemon, chairman and founder of the Ponemon Institute. "What's shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments."
Part of the issue, Ponemon says, is that IoT is increasingly affecting the enterprise in a very broad way, leaving responsibility for oversight to fall through the cracks.
"The issue of IoT is very broad," he says. "Obviously, there's a role for CIOs, and CISOs as well, but it may not be based on the way an organization wants to govern the risk. It may fall more with the line of business. It might be more of a business function than a compliance or risk management function."
And the business may conclude that it's the third-party partner's job to secure IoT devices, while third parties believe the responsibility lies with the company making use of those devices.
"It's important to ensure the governance structure articulates who owns this IoT device," Miller says. "Is it sole ownership by the IT organization, a shared partnership with procurement or other parties, etc.? Often there's a lack of visibility into the types and number of devices that are already attached to the network. That's where you need clear CIO understanding. 'What is there and what do we need to do to manage that better? We don't think the policies and contractual arrangements cover all this.' Clearly they need to be updated to cover these kinds of solutions."
The report concludes that organizations need to better understand the inherent risks posed by IoT devices in their supply chain, ensure IoT security is taken seriously, and educate management at all levels â including governing boards â that IoT security concerns need to be integrated into the device design/build phases of product development.
Specific recommendations include:
- Ensure inclusion of third-party and IoT risks occurs at all governance levels, including the board.
- Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all the inventoried devices; if devices have inadequate security controls, replace them.
- Review contracts and policies for IoT-specific requirements and update them to include such requirements if necessary.
- Expand third-party assessment techniques and processes to include controls specific to IoT devices.
- Develop specific sourcing and procurement requirements around security of IoT devices.
- Devise new strategies and technologies for reducing threats posed by IoT devices.
- Collaborate with experts, peers, associations and regulators to develop, communicate and implement best practices for IoT risk management.
- Include IoT in communication, awareness and training at all levels, including the board, executive, corporate, business unit and third parties.
- Recognize that your organization is increasingly dependent on technology to support the business and the risk posed by this dependence.
- Embrace new technologies and innovations, but ensure security controls are included as fundamental and core requirements.