Managing Third-Party Risks and Internet of Things
Managing Third-Party Risks and Internet of Things
When it comes to dealing with third-party risks and the internet of things, many companies are relying on outmoded technologies and practices.
Major Barriers to Addressing IoT Risks
A lack of priority.
Insufficient resources.
Boards aren’t filling oversight responsibilities.
The need to make management accountable
Managing Third-Party IoT Risks
Only 30% of respondents said managing third-party IoT risks is a priority. Because it is not a priority—and leadership is not engaged—needed resources are not allocated.
IoT Devices Expected to Double
The number of IoT devices is expected to double in the next two years, from an average of 9,259 to 18,631 per organization. This is driven by the potential to increase efficiencies and improve business outcomes by collecting better data.
Pace of Innovation and Standards
72% of respondents said the pace of innovation in IoT and varying standards for security among third parties make it hard to safeguard the security of these devices and applications.
The Need for New Approaches
The drive for innovation requires new approaches to IT strategies and tactics, respondents said, and 61% said cloud adoption is driven in part by the need to innovate in the IoT ecosystem.
Too Many Cooks
42% of respondents said the large number of vendors they use makes it difficult to manage the complexity of IoT platforms.
Third-Party Risk Programs Need Work
56% of respondents have a third-party risk management program. Of these, only 24% rate theirs as highly effective.
Neglecting the CEO and Board
69% of respondents don’t inform their CEO and board about the effectiveness of their third-party risk management program.
Causes for Lack of Communication
Provide information only if a breach involves third-party management: 56%.
It’s not a priority for the CEO and board: 51%.
Decisions about third-party risk management aren’t relevant to the CEO and board: 47%
Problems With Third-Party IoT Governance
56% of respondents said it is not possible to determine whether third-party safeguards and IoT security policies are sufficient to prevent data breaches.
Why Governance Programs Are Inadequate, Part I
Programs don’t include the secure use of IoT devices in training and awareness programs: 81%.
Programs don’t evaluate IoT security risks during onboarding: 80%.
Programs don’t consider IoT-related risks in the third-party due diligence process: 77%
Why Governance Programs Are Inadequate, Part II
Programs don’t require third parties to have insurance for IoT security risks: 70%.
Programs don’t evaluate IoT security and privacy practices for engaging in a business relationship: 67%.
Programs don’t require third parties to identify IoT devices that connect to their network: 59%
Problems Tracking IoT-Connected Objects
72% are aware of only some objects connected to the internet.
55% consider IoT devices to be endpoints.
Only 44% monitor the risk of IoT devices used in the workplace.
