Managing Third-Party Risks and Internet of Things
When it comes to dealing with third-party risks and the internet of things, many companies are relying on outmoded technologies and practices.
A lack of priority.
Insufficient resources.
Boards aren’t filling oversight responsibilities.
The need to make management accountable
Only 30% of respondents said managing third-party IoT risks is a priority. Because it is not a priority—and leadership is not engaged—needed resources are not allocated.
The number of IoT devices is expected to double in the next two years, from an average of 9,259 to 18,631 per organization. This is driven by the potential to increase efficiencies and improve business outcomes by collecting better data.
72% of respondents said the pace of innovation in IoT and varying standards for security among third parties make it hard to safeguard the security of these devices and applications.
The drive for innovation requires new approaches to IT strategies and tactics, respondents said, and 61% said cloud adoption is driven in part by the need to innovate in the IoT ecosystem.
42% of respondents said the large number of vendors they use makes it difficult to manage the complexity of IoT platforms.
56% of respondents have a third-party risk management program. Of these, only 24% rate theirs as highly effective.
69% of respondents don’t inform their CEO and board about the effectiveness of their third-party risk management program.
Provide information only if a breach involves third-party management: 56%.
It’s not a priority for the CEO and board: 51%.
Decisions about third-party risk management aren’t relevant to the CEO and board: 47%
56% of respondents said it is not possible to determine whether third-party safeguards and IoT security policies are sufficient to prevent data breaches.
Programs don’t include the secure use of IoT devices in training and awareness programs: 81%.
Programs don’t evaluate IoT security risks during onboarding: 80%.
Programs don’t consider IoT-related risks in the third-party due diligence process: 77%
Programs don’t require third parties to have insurance for IoT security risks: 70%.
Programs don’t evaluate IoT security and privacy practices for engaging in a business relationship: 67%.
Programs don’t require third parties to identify IoT devices that connect to their network: 59%
72% are aware of only some objects connected to the internet.
55% consider IoT devices to be endpoints.
Only 44% monitor the risk of IoT devices used in the workplace.