Managing Third-Party Risks and Internet of Things
-
Managing Third-Party Risks and Internet of Things
When it comes to dealing with third-party risks and the internet of things, many companies are relying on outmoded technologies and practices. -
Major Barriers to Addressing IoT Risks
A lack of priority. Insufficient resources. Boards aren't filling oversight responsibilities. The need to make management accountable -
Managing Third-Party IoT Risks
Only 30% of respondents said managing third-party IoT risks is a priority. Because it is not a priority—and leadership is not engaged—needed resources are not allocated. -
IoT Devices Expected to Double
The number of IoT devices is expected to double in the next two years, from an average of 9,259 to 18,631 per organization. This is driven by the potential to increase efficiencies and improve business outcomes by collecting better data. -
Pace of Innovation and Standards
72% of respondents said the pace of innovation in IoT and varying standards for security among third parties make it hard to safeguard the security of these devices and applications. -
The Need for New Approaches
The drive for innovation requires new approaches to IT strategies and tactics, respondents said, and 61% said cloud adoption is driven in part by the need to innovate in the IoT ecosystem. -
Too Many Cooks
42% of respondents said the large number of vendors they use makes it difficult to manage the complexity of IoT platforms. -
Third-Party Risk Programs Need Work
56% of respondents have a third-party risk management program. Of these, only 24% rate theirs as highly effective. -
Neglecting the CEO and Board
69% of respondents don't inform their CEO and board about the effectiveness of their third-party risk management program. -
Causes for Lack of Communication
Provide information only if a breach involves third-party management: 56%. It's not a priority for the CEO and board: 51%. Decisions about third-party risk management aren't relevant to the CEO and board: 47% -
Problems With Third-Party IoT Governance
56% of respondents said it is not possible to determine whether third-party safeguards and IoT security policies are sufficient to prevent data breaches. -
Why Governance Programs Are Inadequate, Part I
Programs don't include the secure use of IoT devices in training and awareness programs: 81%. Programs don't evaluate IoT security risks during onboarding: 80%. Programs don't consider IoT-related risks in the third-party due diligence process: 77% -
Why Governance Programs Are Inadequate, Part II
Programs don't require third parties to have insurance for IoT security risks: 70%. Programs don't evaluate IoT security and privacy practices for engaging in a business relationship: 67%. Programs don't require third parties to identify IoT devices that connect to their network: 59% -
Problems Tracking IoT-Connected Objects
72% are aware of only some objects connected to the internet. 55% consider IoT devices to be endpoints. Only 44% monitor the risk of IoT devices used in the workplace.
Efforts to mitigate third-party risks in the internet of things ecosystem are lagging, despite recognition that the IoT introduces new security risks and vulnerabilities, according to a new study. Companies rely on technologies and practices that have not evolved to address emergent IoT threat factors, according to "The Internet of Things: a New Era of Third-Party Risk," conducted by the Ponemon Institute and sponsored by Shared Assessments. "Risks include the ability of criminals to harness IoT devices such as botnets to attack infrastructure and launch points for malware propagation, spam, DDoS attacks and on anonymizing malicious activities," the report stated. Ninety-four percent of the individuals surveyed said it is very likely, somewhat likely or likely that a security incident related to unsecured IoT devices or applications could be catastrophic. Seventy-eight percent have the same certainty of loss or theft of data caused by insecure IoT devices or applications, and 76 percent have the same certainty of a cyber-attack caused by these devices. Respondents included 553 individuals who have a role in the risk management process and are familiar with the IoT devices in their organization. Following are more highlights.