While organizations onboard IoT devices to improve business operations and processes, it seems that few organizational boards require IoT risk assurances from third parties. The Internet of Things (IoT): A New Era of Third Party Risk study by the Ponemon Institute reveals that only 25% of organizations require assurances that IoT risks are being assessed, managed and monitored appropriately. This is not to be taken lightly when 94% of CIOs believe a security incident related to unsecured IoT devices or applications could be catastrophic to the business.
When only a quarter of boards require updates on oversight of IoT risks, but almost 100% of security executives foresee a breach occurring due to unsecured IoT devices, there’s a huge disconnect within the enterprise that needs to be addressed.
The gap in defending appropriately against IoT device security risks is also shown by the fact that 76% of CIOs believe a DDoS (distributed denial of service) attack involving an unsecured IoT device is likely to occur within the next two years, yet only 69% of CIOs keep their CEO and board informed about the effectiveness of the third party risk management program.
What’s even worse is the fact that only 44% of CIOs say their organization can protect their network or enterprise systems from risky IoT devices and 77% of CIOs are not considering IoT related risks in their third party due diligence. Furthermore, 67% of CIOs aren’t evaluating IoT security and privacy practices before engaging in a business relationship.
The challenges for businesses in reaching effective security for the overall organization continues to involve lack of communication between the CIO, CEO and board members; as well as the lack of making a good argument to get the resources needed to effectively defend against IoT security risks. Since IoT is very broad, involving multiple areas and devices that the CIO may not always have eyes on, this makes things even harder.
However, there’s been enough media coverage of major breaches due to third party risks that weren’t addressed for all executive to know a little bit about the risks involved in these situations; and the fact that good security isn’t accomplished by merely patching your systems or updating your antivirus software.
For the CIO, this means translating in a way that the CEO and board can understand, third party risks and the damage they can cause when not addressed in a timely manner. The key is in the language, which essentially involves numbers. The costs of breach are high, the damage to a company’s reputation are also undeniable, and there are a number of real-life examples in the headlines to make a case in favor of upping cybersecurity to include IoT devices along with their third party risks.
For the CEO and board this means going to their security executive and asking questions about how IoT third party risks are being taken care of and what plans are in place as more devices are onboarded. Business executives should also look to assess their vulnerabilities and turn to companies like NCX Group who are in the business of creating a holistic security environment. Sometimes risks are overlooked or missed by internal security teams and a pair of experienced eyes can help spot these hidden risks sooner than later.
Feel free to get in touch if you’re looking to get a clearer view of where you stand with your IoT and third party security risks. We’re only a call away.
Photo Courtesy of Benoit Daoust