Monthly Archives: May 2019

Third-party IoT risk: companies don’t know what they don’t know

Larry Ponemon

Cyberattacks, data breaches and overall business disruption that can be caused by unsecured IoT devices in the workplace and used by third parties are increasing because companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies.

This is the third-annual study on third party IoT risks sponsored by Shared Assessments and conducted by Ponemon Institute to better understand how organizations are managing the risks created by known and unknown IoT devices.

Responses from 605 individuals who participate in corporate governance and/or risk oversight activities and are familiar with or have responsibilities in managing third party risks associated with the use of IoT devices in their organization are included in this study. Seventy percent of respondents say their position requires them to manage risk oversight activities. All organizations represented in this research have third party risk management program and an enterprise risk management program.

In this study, we define a data breach as a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve protected health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. A cyberattack is an attempt by hackers using malware, ransomware and other techniques to access, damage or destroy a network or system. A successful cyberattack may result in brand damage, business disruption, critical system outages, a data breach, significant financial loses and potential regulatory sanctions.

The following research findings reveal what organizations do not know about the risks caused by IoT devices and applications that are used in the workplace and by third parties.

  • The number of cyberattacks, data breaches and service disruptions that have actually occurred
  • If their security safeguards and practices are adequate to mitigate IoT risk
  • Who is assigned accountability for IoT and how many IoT devices are in the workplace
  • IoT risk assessment and control validation techniques are evolving, but very slowly
  • How third party IoT risk management practices and policies can be used to mitigate the risk
  • Few companies conduct training and awareness programs to minimize risks created by users in the workplace and in their third parties
  • Few companies have sufficient in-house expertise to fully understand IoT risks in the workplace and in their third parties

IoT- related security incident

In the context of this research, IoT is defined as the physical objects or “things” embedded with electronics, software, sensors and network connectivity, which enables these objects to collect, monitor and exchange data. Examples of IoT devices in the workplace include network-connected printers and building automation solutions.

IoT- related security incidents increase

As shown in Figure 1, there has been a dramatic increase in IoT-related data breaches and cyberattacks since 2017. Respondents who report their organization experienced a data breach specifically because of unsecured IoT devices or applications increased from 15 percent to 26 percent in just three years. Cyberattacks increased from 16 percent to 24 percent of respondents. These percentages may be low because, as shown in the research, organizations are not confident that they are aware of all the unsecured IoT devices and applications in their workplaces and in third parties.

 

Most salient trends

 It’s “not if, but when” organizations will have a security exploit caused by unsecured IoT devices or applications. Eighty-seven percent of respondents believe a cyberattack, such as a distributed denial of service (DDoS), is very likely to occur in the next two years, an increase from 82 percent of respondents in last year’s study. Similarly, 84 percent of respondents say it is very likely their company will have a data breach caused by an IoT device or application.

 Third party IoT risk is increasing because of ransomware, the number of third parties and the inability to know if safeguards are sufficient. Fifty-nine percent of respondents say the IoT ecosystem is vulnerable to a ransomware attack. Other reasons for the increase in IoT risks is the inability to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach (55 percent of respondents) and the difficulty in managing the complexities of IoT platforms because of the number of third parties.

There is a significant gap between the monitoring of IoT devices in the workplace and the IoT of third parties. While just about half of respondents (51 percent) say their organizations are monitoring the devices used in their organizations, less than a third are monitoring their third parties’ use of IoT.

A gap also exists between awareness of IoT risks and the maturity of risk management programs. While 68 percent of respondents say third party risks are increasing because of the rise in IoT, many companies’ risk management practices are not mature. Specifically, only 45 percent of respondents say their risk management process is aligned with its business goals and only 34 percent of respondents say there is an approved risk appetite framework incorporating clearly expressed risk tolerance levels. Moreover, sufficient budget and staffing is not being allocated to manage third party IoT risks.

To read the full study, visit the Shared Assessments website.

The Santa Fe Group, authorities in risk management, is the managing agent of the Shared Assessments Program.

Is the Internet good or bad? So, Bob… podcast, episode 1

Bob Sullivan

I started covering technology in the late 90s, sitting in a cubicle on the Microsoft campus, but working for a separate company named MSNBC.com.  At the time, most publications didn’t have technology sections, or even full-time reporters.  Those who did write about tech were business reporters, worried mainly about revenue and stock price, or gadget reporters, worried mainly about what new, cool thing was coming on the market (wearable computers!).  I was immediately attracted to something different — broken technology. I started writing about computer viruses when nobody really cared about them; then the Melissa Virus and the LoveBug took the entire world offline for a day, and everyone cared. I went to hacker conferences before it was cool. I covered online dating scams, eBay fraud, credit card database thefts, child online safety, and the birth of surveillance capitalism.

At the same time, I would go to press conferences hosted by companies like Apple where (alleged) journalists would applaud each new product release.

It all made me wonder continuously: Is all this tech such a good idea? Is anyone stopping to think about any of this?

Eventually, plenty of other people became worried, too.  This story in the Canadian magazine Macleans from 2006 (titled “The Internet sucks”) captures the growing unease people had with the power of giant tech firms.  Read it; it’s cute what a side note Facebook was back then.

Since then, the pace of change has only accelerated, while our introspection about it has not kept up. Social mores haven’t kept up. Law hasn’t kept up.  The closest thing the U.S. has to a federal privacy law does not even mention cell phones or the Internet — because it is the Privacy Act of 1974.

Fortunately, plenty of people care about this now. Do a Google News search for privacy and you’ll find thousands of stories.  Facebook, for better and worse, has placed these issues top-of-mind for most people. As we discussed at the end of the Breach series on Equifax, privacy may be on life support, but it’s not dead.

And I am thrilled and so grateful that a person named Alia Tavakolian is at the top of the list of people who care. An Iranian-American from Dallas, Alia brings an entirely different perspective on these issues to the podcast. She has an amazing ability to ask the right question to get to the heart of the matter. And her emits empathy and understanding in such a way that people can’t wait to talk to her.  I’m incredibly lucky that she is my partner on this project — and with her, come the incredibly talented and passionate people at Spoke Media.  Soon enough, you’ll become familiar with the Spoke Media Method and why the podcast they make really are a cut above what you are used to hearing.

Please don’t interpret my skepticism of all technology as a distaste for it. Quite the contrary: Computers have been in my house since I was a small child (once upon a time, a remarkable thing to say!).  My father taught computers to high school kids in Newark, N.J. for decades. I played my first “video game” on a teletype.  Wrote my first program on a TRS-80.  Used a radio signal hack to add sound effects to a baseball game on a Commodore Pet.  I love this stuff.  I love that tech saved my father’s life after he had a heart attack. I love that I can communicate with old friends in real time at any time.

But there’s lots to worry about. And we don’t talk enough about it.  Mainly, I hate the kind of tricks that tech allows large companies to play on workers and consumers.  Your cable company makes billions of dollars each year, one hidden $9 fee at a time. Uber will make a few people billionaires while turning drivers into minimum-wage employees via slight of hand, and along the way take down some mass transit systems, too.  Facebook threatens democracy and the very notion of truth, all because it didn’t want to pay people to play hall monitor. Smartphones are great for finding your lost 12-year-old on a class trip!  But they are also altering his mind so he’ll never be able to pay attention to other people the way you did.  Tech is often portrayed as magic, able to make “scalable” businesses that provide investors with unicorn-like 1,000x returns. Often, the only magic is the way it fools people.  Tech sometimes provides amazing, ground-breaking solutions to life’s problems.  Just as often, it’s merely a trick to make early investors rich, consequences be damned.

This is what we’ll talk about on So..Bob.  But we won’t just whine about the downfall of small retailers or the curse of short attention spans. We’re going to arm you with real ideas and real solutions so your gadgets don’t rule you — you rule your gadgets. Alia asks amazing questions, and I have a few answers. But mainly, I’ve been at this long enough that I know hundreds of really smart people who are generous with their time, and they’ll have much better answers. As our first guest, Canadian privacy lawyer Sinziana Gutui, suggested to me, I am an expert of experts.  At least, that’s what I hope to be for you.

So, readers — what questions do you have? Send them along to SoBob@SpokeMedia.io.  Follow us on Twitter or Instagram at @SoBobPod.  Give us 25 minutes — hopefully, every week.

Click play below, if a play button appears, or click on this Stitcher link or this iTunes link.