Survey: Risk Management Pros Fear Internet of Things

In-brief: Risk professionals expect a “catastrophic” security incident within the next 24 months that stems from insecure Internet of Things devices, a survey by The Ponemon Institute found. 

Risk management professionals are growing worried about the risks posed by connected devices on the Internet of Things, a new survey by The Ponemon Institute found.

Among 553 risk management professionals surveyed by Ponemon there was a nearly universal (94%) belief that such devices will lead to a “catastrophic” security incident within the next 24 months, while more than three quarters of those surveyed said that a cyber attack stemming from insecure IoT devices or data theft linked to such devices was likely within the same period.

The survey’s findings underscore the growing anxiety about Internet connected “things,” following denial of service attacks by the botnet Mirai in September and October and the emergence of the Persirai botnet and Brickerbot, a destructive malware that infects and disables vulnerable Linux devices in April.

The risk professionals surveyed by Ponemon reported that connected devices constitute a “third party” risk that their organizations are poorly situated to handle, should problems arise.

According to the survey, risk professionals reported that securing Internet of Things devices was not a priority at their organization and that there were insufficient resources and inadequate attention from senior executives to the problem of third party, Internet of Things risk. Just 30% of respondents said that managing third-party IoT risks is a priority in their organization. Just a quarter reported that their board of directors sought assurances that IoT risks among third parties is being assessed, managed and monitored appropriately, Ponemon reported.

Ponemon data suggests that organizations are still familiarizing themselves with connected “Internet of Things” devices and haven’t fully taken into account the new risks that such devices pose. For example,

76% of those surveyed said they did not include the secure use of IoT devices in training and awareness programs. Sixty eight percent said that the evaluation of IoT security risks was not part of their onboarding process for third parties. Sixty three admitted that third party due diligence processes did not include IoT related risks.

That kind of laxity could come back to bite firms. Recent studies and real-world incidents suggest that third party risk around connected devices is a major security risk. A study by the firm Trend Micro (PDF) , for example, found that common industrial robots are susceptible to hacks that could cause physical harm to workers or result in flawed and dangerous products. So called “architectural commonalities” in modern industrial robots, as well as existing standards, mean that the company’s findings, which were complied with collaborators from the Politecnico di Milano (POLIMI), are likely to affect a wide range of industrial robots made by a range of vendors, Trend concluded.

Similarly, an audit of Samsung’s Tizen IoS operating system is plagued by “old school” security vulnerabilities that call into question the trustworthiness of the entire platform, according to a researcher at the firm Equus, who presented the findings of his audit of Tizen at Kaspersky Lab’s recent Security Analyst Summit. Tizen runs  around 30 million smart TVs, as well as Samsung Gear smart watches.

Organizations need more tools and processes to get their arms around IoT risk, Ponemon concludes. Among other things: tools are needed to identify and inventory deployed devices. Beyond that, organizations need to have an understanding of each device’s ecosystem, including its manufacturer, associated service providers, software and application developers and cellular operators. New sourcing and procurement practices will be needed to ensure that IoT devices are properly secured by design and in deployment, Ponemon concluded.

Comments are closed.