76% of survey respondents say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years.
The Ponemon Institute, an independent research firm focused on privacy, data protection and information security policy, and the Shared Assessments Program, the industry-standard body on third party risk assurance, released findings from its annual survey, The Internet of Things (IoT): A New Era of Third Party Risk.
The report surveyed 553 professionals who have a role in risk management in industries including healthcare and financial services. They were asked for their perception of IoT risk, current governance, and the state of third-party risk management programs.
Key findings of the report include:
- 76% say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years.
- 94% of those surveyed noted that a security incident related to unsecured IoT devices or applications could be catastrophic.
- 69% of respondents don’t keep their CEO and board informed about the effectiveness of the third party risk management program.
- Only 44% say their organization has the ability to protect their network or enterprise systems from risky IoT devices.
- 77% of respondents aren’t considering IoT-related risks in their third-party due diligence.
- 67% of those surveyed are not evaluating IoT security and privacy practices before engaging in a business relationship.
IoT security
“More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyber attacks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “What’s shocking about these findings is the complete disconnect between understanding the severity of what a third party security breach could mean for businesses, and the lack of preparedness and communication between departments.”
The respondents said they’re aware that IoT introduces new security risks into their organizations, but only 25% said their boards require assurances that IoT risks are being managed and monitored. The majority are still relying on legacy solutions, with 94% saying they are still using traditional network firewalls.
“Ready or not, IoT third-party risk is here. Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever,” said Charlie Miller, senior vice president with the Shared Assessments Program. “In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats. New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution.”