[BreachExchange] Why Enterprises Can't Ignore Third-Party IoT-Related Risks

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 15 21:50:22 EDT 2018


There's a major disconnect between Internet of Things governance and risk
management, according to a new report. Follow these five steps to address
the risks.

The Internet of Things (IoT) is one of the greatest technological
advancements in the last decade, so it's no wonder that the IoT market is
expected to grow to 20.4 billion devices by 2020 and more than 8.4 billion
IoT devices are already in use today.

According to a new report by the Ponemon Institute and Shared Assessments,
"The Internet of Things (IoT): A New Era of Third Party Risk," it is
estimated that every workplace has approximately 16,000 IoT devices
connected to its network. Given the prevalence of IoT adoption, it makes
sense that IoT presents a major threat vector for hackers who have
discovered new entry points for cyberattacks. Basically, any device with an
Internet connection is subject to being compromised and can become a back
door for attackers to access enterprises or steal other sensitive data.

Unfortunately, many IoT devices run on firmware that is often difficult to
patch and update, and some come with default passwords that are easy to
crack. We've already seen plenty of distributed denial-of-service (DDoS)
attacks through IoT devices, including the Mirai botnet and Brickerbot, IoT
ransomware, malware, and more. Over the past two years, baby monitors,
robots, smart TVs and refrigerators, Nest thermostats, and even connected
cars have made headlines for being hacked.

Many enterprises are finally realizing the growing attack surface that IoT
devices bring to the workplace, and some are beginning to monitor for these
endpoints. But what happens when an IoT device that's connected to a
corporate network by a third party suddenly becomes compromised? Is that
enterprise monitoring its third parties for IoT risks? Is there a policy in
place to handle risky third-party IoT devices? According to this new
research, many enterprises are ill prepared for this uphill IoT risk
management battle.

Shared Assessments commissioned Ponemon to survey 605 individuals who
participate in corporate governance and/or risk oversight activities and
are familiar with the use of IoT devices in their organization. The study
found that while there have been some advances in third-party risk focused
on IoT devices and applications since 2017, risk management in this area is
still at a relatively low level of maturity. It revealed that almost all
respondents (97%) believe their organization will suffer from a
catastrophic IoT-related security event in the next two years, yet many
aren't properly assessing for third-party IoT risks and many don't have an
accurate inventory of IoT devices or applications.

The report underscores three major disconnects when it comes to third-party
risk management practices, including:

The awareness of IoT risks is increasing as IoT adoption grows: With an
increasing reliance on IoT devices in the workplace, organizations are
realizing the magnitude of what an attack related to an unsecured IoT
device could do to their business. Eighty-one percent of survey respondents
say that a data breach caused by an unsecured IoT device is likely to occur
in the next 24 months, and 60% are concerned the IoT ecosystem is
vulnerable to a ransomware attack. However, only 28% say they currently
include IoT-related risk as part of the third-party due diligence.

IoT risk management practices are uneven: The average number of IoT devices
in the workplace is expected to grow from 15,875 to 24,762 over the next
two years, so it's not surprising that only 45% of respondents believe it's
possible to keep an inventory of such devices, while only 19% inventory at
least 50% of their IoT devices. A large majority, 88%, cite lack of
centralized control as a primary reason for the difficulty of completing
and maintaining a full inventory. Even though 60% of respondents say their
organization has a third-party risk management program in place, less than
half of organizations (46%) say they have a policy in place to disable a
risky IoT device within their own organization.

The gap between internal and third-party IoT monitoring is substantial:
Almost half of all organizations say they are actively monitoring for IoT
device risks within their workplace, but more concerning is that only 29%
are actively monitoring for third-party IoT device risks. A quarter of
respondents admit they are unsure if their organization was affected by a
cyberattack involving an IoT device, while 35% said they don't know if it
would be possible to detect a third-party data breach. Shockingly, only 9%
of respondents say they are fully aware of all of their physical objects
connected to the Internet.

The bottom line is that more focus is being given to internal workplace IoT
device risks than to risks posed by third parties. Many companies have
fallen behind on the basics such as assigning accountability and inventory
management, and there are uncertainties around who is responsible for
managing and mitigating third-party risks. There's also an over-reliance on
third-party contracts and policies for IoT risk management.

To more effectively address IoT risks and improve third-party risk
management programs, companies should take the following proactive steps:

1. Update asset management processes and inventory systems to include IoT
devices and applications, and understand the security characteristics of
all inventoried devices. When devices are found to have inadequate IoT
security controls, replace them.
2. Identify and assign accountability for approval, monitoring, use, and
deployment of IoT devices and applications within your organization.
3. Ensure that IoT devices, applications and metrics are included,
monitored, and reported as part of your third-party risk management program.
4. Verify that specific third-party IoT related controls included in
contract clauses, policies, and procedures can be operationalized and
monitored for adherence and compliance.
5. Collaborate with industry peers, colleagues, and experts to identify
successful approaches, techniques, solutions, and standards to monitor and
mitigate third-party IoT device and application risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180515/a988ba65/attachment.html>

More information about the BreachExchange mailing list