Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug

The majority of corporations fear that a “catastrophic” security incident stemming from the Internet of Things (IoT) is an imminent risk. However, those same organizations still lack simple knowledge of how many IoT devices they have in their organization and how they are being used, let alone have oversight for how to protect them, according to new findings.

Independent research firm the Ponemon Institute and the Shared Assessments Program— the industry-standard body on third-party risk assurance released a report from their second annual IoT third-party risk survey called “The Internet of Things (IoT): A New Era of Third-Party Risk.”

As with most IoT-related security research lately, the report’s findings are alarming to anyone who cares about IT and cybersecurity within the enterprise. Ninety-seven percent of the 605 participants polled said that an attack related to unsecured IoT devices could be catastrophic for their organization, while 81 percent say that a data breach caused by an unsecured IoT device is likely to occur in the next 24 months. However, despite this omnipresent risk that insufficiently secured IoT devices have created in an organization, there is still woeful lack of security present to protect against such threats, the report found.

“Everybody’s worried about some type of security incident caused by an IoT device, but not many people are doing anything about it,” Charles Miller, Senior Vice President with the Shared Assessments Program, told Security Ledger in an interview.

Indeed, only 28 percent of respondents said they currently include IoT-related risk as part of the third-party due diligence, according to the findings. “They are aware that these risks exist but probably aren’t stepping up as fast as they need to,” Miller said.

One surprising finding of the report is that for IoT risk mitigation, overwhelmingly organizations are relying on contractual clauses with third parties or policies and procedures with very little oversight, he said. More than half (53 percent) of respondents said they rely on contractual agreements to mitigate third-party IoT risk, and only 46 percent say they have a policy in place to disable a risky IoT device.

In other words, they’re passing the buck to someone else when it comes to IoT security without making sure that third party is doing its due diligence to protect the organization, Miller said.

“If you’re relying on that type of technique, the ability to monitor those contract clauses needs to be in sync with that so you can actually ensure you’re compliant with those clauses,” he told us. “I think that’s a lot of work that has to be done to make sure we have those monitoring techniques in place to do that.”

Two of the weakest links in even starting to set up and enforce the proper security that IoT devices in an enterprise require are inventory and accountability, the report found.

On the inventory side, the findings make it apparent that most organizations don’t know even know what IoT devices they have in the organization, who is responsible for them or how they’re being used.

Forty-nine percent of respondents said they don’t keep an inventory of IoT devices and 56 percent have no inventory of IoT applications. The reason that most (85 percent) cite is that there is a lack of centralized control over these applications.

“There doesn’t seem to be anyone who’s accountable for inventory or for IoT in organizations,” Miller said.

That’s especially troubling not just because of the risk of an IoT security breach, but the number of devices that organizations said they expect to bring on over the next year. The 44 percent of respondents that keep an inventory of IoT devices said the average number of devices in their workplaces is 15,874. They expect this number to increase to an average of 24,762.

The inventory issue goes hand in hand with accountability, Miller said. Not only are many organizations lacking in an accurate inventory of the IoT devices they have, they don’t have anyone in the company responsible for taking charge of monitoring this, he said.

Almost half of all organizations say they are actively monitoring for IoT device risks within their workplace, and 60 percent said their company has a third-party risk management program. But only 29 percent are actively monitoring for third-party IoT device risks, and only 9 percent of respondents said they are fully aware of all the physical objects in their organization connected to the Internet.

“The area that’s of concern that we saw in this study is that no single part of the organization was given accountability to make sure this is kept current, that there is an inventory, that there is an approval process for bringing on devices that are going to support the business units,” Miller told us. “It’s kind of a little bit all over the map.”

As more and more IoT devices like smart printers, video cameras and others come online in the coming months and years, this is going to be crucial to locking down these devices to avoid a major security problem, he said.

“I think that clear accountability or some central organization or knowing and communicating and knowing within your organization who is accountable is going to be really important,” Miller said.

[You might also be interested in reading “The US Military’s IoT Problem Is Much Bigger Than Fitness Trackers” ]

There already have been prominent examples of what happens when IoT devices are exploited. Perhaps the most infamous is the Mirai botnet, which attacked a worldwide network of compromised cameras and home routers and caused a massive distributed denial-of-service (DDoS) attack.

More recently, a team in Israel that took apart a number of IoT devices to find out how easy they were to hack and found that it’s really not that difficult. Among other nefarious activities, the team from Ben-Gurion University managed to logon to entire Wi-Fi networks simply by retrieving the password stored in a device to gain network access, and even cracked the default passwords for 12 of 16 devices, using them to create their own, isolated Mirai-style botnet.

With smart cameras being one of the early uses of IoT devices present in organization–and much evidence that already shows they often have multiple vulnerabilities and are easy to compromise–Miller said that DDoS attacks are a very real threat that could affect that could impact a large number of corporations. Data breaches are another, he said..

“Data exfiltration is something everyone is being concerned about–how data breaches are reported and enacted and corrected as they happen,” Miller said.

Given the findings of the report, Ponemon and Shared Assessments Program have five recommendations for organizations to kick-start their IoT risk mitigation. The first is to take an inventory of IoT devices and update asset-management solutions to include them, Miller said.

Accountability of course is then second, he said. Organizations need to ensure that there is someone accountable for dealing with and handling IoT activities, devices and applications, he said.

[You might also be interested in: “IoT Security’s Known Unknowns | Network World”]

A third is to bridge the disconnect between risk-assessment personnel and organization leaders, the latter of whom still don’t have accurate awareness not only of the IoT devices in the organization, but also the risks, Miller said.

Monitoring is another aspect of IoT risk mitigation that’s crucial to address right now based on the findings, he said, particularly in terms of the third-party contracts, policies and procedures companies said are currently responsible for IoT security.

Finally, a last step organizations need to take is a united approach to solving the IoT security problem, putting heads together to come up with the best solutions for risk mitigation, Miller said.

“We’re seeing a lot of creative solutions put forth,” he said. “But as those solutions go forward from a technology perspective and from an industry and regulatory perspective, [we recommend working] with peers to identify those solutions that will address some of the risks we’re seeing with the Internet of Things.”

(Paul Roberts contributed to this post.)