Report: Most companies unaware of third-party IoT security measures

Only 37% of “high performer” organizations monitor the risk of IoT devices used by third parties, and current IoT risk-management programs can’t keep pace, study said.

Internet of things, wireless communication network, abstract image visual.

Image: Getty Images/iStockphoto

More about IoT

Most organizations are unaware of what tracking and safeguarding their third-party Internet of Things (IoT) vendors have in place, according to the fourth annual IoT study by the Ponemon Institute and Shared Assessments. The report provided new insight into the growing deployment of IoT devices across supply chains and the ensuing risk. 

Professionals whose main responsibilities lie in their organization’s third-party risk-management (TPRM) were surveyed, giving insight into the state and “mind-set” of business in regards to TPRM.

SEE: Research: Why Industrial IoT deployments are on the rise (TechRepublic Premium)

Improvement needed

It’s also very evident that there is an “acute need for IoT risk management improvement,” because an organization’s current IoT risk-management programs are chasing the mounting risks. Only 37% track third-party IoT exposure, and 61% predicted IoT-related data loss. 

SEE: Inside UPS: The logistics company’s never-ending digital transformation (free PDF) (TechRepublic)

“Many of the better performers in this year’s study still have a considerable distance to travel to reach the level of IoT security hygiene we’d all like to see,” said Gary Roboff, senior advisor, Santa Fe Group, Shared Assessments.

The report stressed a critical need to elevate accountability, authority, and engagement within the company, and specifically, those who lead its TPRM department.


Image: Ponemon/SharedAssessments

Small but significant changes in four years

The report, A New Roadmap for Third Party IoT Risk Management, offered up a chart chronicling the differences between 2017, 2018, 2019, and 2020 in IoT and TPRM, and this year definitely shows an increase. The responses to “the rise in IoT significantly increases third-party risk for my organization” showed 71% in agreement for 2020, with 68% for 2019, and 66% for 2018 (figures weren’t available for 2017).

A large number of organizations agreed that “it’s not possible to determine whether third-party safeguards and IoT security policies are sufficient to prevent a data breach,” and the results were 59% in 2020, 55% in 2019, 58% in 2018 and 56% in 2017. 

  • Exacerbating the problem, the report found that the problem is fueled by:
  • Steep expansion in IoT devices
  • Lack of a centralized IoT risk management program
  • Lack of senior-most authority’s involvement

Image: Ponemon/SharedAssessments

Even the highest-performing organizations have to step up IoT risk management capabilities, and about 25% said that those higher-performing businesses are “significantly more likely to implement leading risk-management practices and apply them to IoT use.”

Research naturally lends itself to be able to focus on risk-management challenges within the increasingly complex IoT ecosystem. 

IoT increases will continue

Respondents expect the number of IoT devices they rely on to double in the next couple of years, even though most respondents said unsecured IoT devices have become increasingly likely “to have materially disruptive consequences.” Yet, nearly six of 10 acknowledge not knowing whether their third-party controls can actively suit their needs.

With the ever-growing number of IoT devices, an organization’s sensitive data is more likely to be accessed by bad actors, and the result is that IoT risk management becomes a “highly convoluted” endeavor. And so many IoT devices may facilitate distributed denial of service attacks (DDoS) which add an even greater urgency to the risk-mitigation timeline. 

Know the kind of security your company has

There is a general lack of awareness or adequate tools to indicate which IoT device has appropriate security, and just how many actual breaches and cyberattacks are linked to IoT devices is likely much higher than the number of events reported. 

SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)

Groups that identify themselves as a “higher performer” (164 dubbed themselves as such) represent about 33% of respondents and rate their own ability to manage IoT and other third-party risks as “highly effective.” But this indicates that I0T hygiene practices in the vast majority of companies need significant improvement 

“While the proliferation and consumerization of embedded technology, including IoT devices, continues to evolve at a rampant pace, new security vulnerabilities and exposures are introduced,” said Rocco Grillo, managing director, global cyber risk services at Alvarez & Marsal. “This is especially true when the use of IoT devices is extended to third parties, fourth parties, or even more concerning, when it’s unknown where the use of IoT devices are being extended, or those extensions are unmanaged.” 

Also see