Data breaches relating to unsecured Internet of Things devices have jumped by more than 10 percent since 2017, suggesting security efforts aren’t keeping pace with the growth of the Internet of Things, a new study finds.
Efforts to secure the rapidly growing Internet of Things (IoT) aren’t keeping pace with IoT adoption, according to a yearly report by the Ponemon Institute.
The Santa Fe Group–managing agent of the Shared Assessments Program–released findings of the institute’s third annual IoT risk report Tuesday, which once again showed most enterprises are only beginning to get a clue when it comes to the risk third-party IoT devices pose, as well as are still dragging their feet on taking accountability for them.
The report–Third Party IoT Risk: Companies Don’t Know What They Don’t Know”–found that leaders of most organization are not even aware of their company’s current state of IoT risk, particularly as it pertains to third parties, which is where most attacks originate.
In addition to the surge in data breaches, cyber attacks from third-party IoT devicesalso rose from 16 percent to 24 percent since 2017, the report found. Still, according to those surveyed, most organizations have no centralized accountability to address or manage these IoT risks, and less than half of company board members approve programs intended to reduce third-party risk. And more 80 percent of respondents think their data will be breached or other cyber attacks due to IoT devices will occur in the next 24 months.
The Bright Side…?
The news isn’t all bad. Charlie Miller, senior advisor for The Santa Fe Group, said that while the report shows that IoT security is “slightly better,” it’s still “not improving at an acceptable pace. ” That could change, however, as resources being directed at IoT security begin to rise to the level of awareness of the problem, he told Security Ledger.
“We expect that the pace of improvement may quicken given that is increased recognition of the threat and private and public sector resources are being assigned to address the threat,” Miller said.
This congruence should happen sooner rather than later, according to researchers. The Internet of Things is being adopted rapidly with IoT devices creeping into the enterprise, many without proper security of their own, Miller said.
“Many organizations have other IoT devices (security cameras are an example) that contain either no security features or basic features that are not useful–hard wired and well-socialized passwords are an all too common example,” he said.
What’s worse, research shows that organizations don’t even have a clear idea of many IoT devices are touching the enterprise network, which makes them difficult to secure, Miller said.
“You can’t manage what you don’t know, and the lack of complete IoT inventories is a serious failure,” Miller said. “Inventory continues to be a huge struggle here as it has been in the third -party risk and supply chain areas.
Apathy is Bliss?
The 625 survey respondents all participate in corporate governance and/or risk oversight at their respective organization and are familiar with or participate in managing third-party risks associated with the use of IoT devices.
Despite this knowledge, respondents said they still mainly only monitor IoT devices within the organization rather than their third-party partners’ use of the IoT, with 51 percent of respondents saying they do the former, but less than a third (32 percent) doing the latter.
There also is a gap between awareness of IoT risks and the maturity of risk-management programs, according to the report. While 68 percent of respondents acknowledge that third-party risks are increasing because of the rise in IoT, many companies’ risk-management practices are not mature and lack staffing and budget. “Our sense is that IoT issues are not at the top of most board cybersecurity-risk agendas,” Miller said.
The Road Ahead
Fortunately, there are some very basic, “common-sense” security guidelines organizations can adopt immediately to begin to close the noticeable gap between IoT enterprise adoption and security, Miller said.
“We believe organizations are–in fact–recognizing the scope of IoT security issues,” he said. “Some organizations are coming to grips with at the size of their own workload to effectively deal with IoT issues and are beginning to take necessary steps.”
One obvious step is to create and maintain complete IoT inventories of devices– both in the enterprise as well as third-party devices–to understand where threats might exist, he said.
IoT devices also should be put on a standalone, separate network so any attack or data breach originating from a device does not affect other parts of the business, Miller said.
Finally, organizations should get in the practice of constantly monitoring networks to detect intrusions as quickly as possible to mitigate or even prevent any damage or data breach before it happens, he added.