Most boards don't understand the importance of IoT risk exposure and CIO has a role to play here
Unsecured Internet of Things or IoT devices in the workplace and those used by third parties are causing large scale cyber attacks, disrupting the privacy and security of organizations. But most boards don’t understand the importance of IoT risk exposure. While on one hand, this is giving a more challenging time to CIO/CISOs, it also offers them a great opportunity to take a leadership position on IoT.
Researchers have identified a significant uptick in breaches and attacks related to IoT in a new Ponemon Institute report. It further states that most companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies.
Released by the Santa Fe Group, the study yielded 35 key findings on IoT risks stemming from a lack of security in IoT devices. Ponemon Institute identified a sizable increase in the number of organizations reporting an IoT-related data breach. In 2017, only 15% of survey participants had suffered an IoT-related data breach. That number jumped to 26% in this year’s report, which surveyed over 600 CIOs, CISOs, chief risk officers in the US and other regions including India.
“The actual number may be greater as most organizations are not aware of every unsecure IoT device or application in their environment or from third party vendors,” the report said. In fact, the study found that more IoT security issues are being reported at the third-party level.
Over the last year, 23% of respondents said they experienced a cyber-attack and 18% said they had a data breach caused by unsecured IoT devices among third-party vendors. Even those who have yet to identify a breach feel certain that the future of IoT will be weighed down by risk.
More alarmingly, organizations surveyed have no centralized accountability to address or manage IoT risks. Less than half of company board members approve programs intended to reduce third party risk and only 21% of board members are highly engaged in security practices and understand third party and cyber security risks in general. More than 80% of respondents believe their data will be breached in the next 24 months.
The current findings are equally gloomy, as the study found that only 9% of respondents said their companies have education policies to inform employees about IoT third-party risks and nearly a third (32%) do not have a designated person in their department or organizations who is responsible for managing IoT risks.
“Board members of organizations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into your network, workplace and supply chain,” said Cathy Allen, founder and CEO of The Santa Fe Group, Santa Fe, NM. “The study shows that there’s a gap between proactive and reactive risk management. The time to address this issue is now and not later.”
What CIO/CISOs can do?
From the Ponemon report, one thing is clear that IoT is increasingly affecting the enterprise in a very big way, and there’s a role for CIOs, and CISOs. However, it may not be based on the way traditional organizations want to govern the risk. In view of that CIO/CISOs might get more into the business function than compliance or risk management function. Here are some recommendations:
- Ensure inclusion of third-party and IoT risks occurs at all governance levels, including the board.
- Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all the inventoried devices; if devices have inadequate security controls, replace them.
- Review contracts and policies for IoT-specific requirements and update them to include such requirements if necessary.
- Expand third-party assessment techniques and processes to include controls specific to IoT devices.
- Develop specific sourcing and procurement requirements around security of IoT devices.
- Devise new strategies and technologies for reducing threats posed by IoT devices.
- Collaborate with experts, peers, associations and regulators to develop, communicate and implement best practices for IoT risk management.
- Include IoT in communication, awareness and training at all levels, including the board, executive, corporate, business unit and third parties.
- Recognize that your organization is increasingly dependent on technology to support the business and the risk posed by this dependence.
- Embrace new technologies and innovations, but ensure security controls are included as fundamental and core requirements.
In conclusion, CIO/CISOs can drive organizations to better understand the inherent risks posed by IoT devices in their supply chain, ensure IoT security is taken seriously, and influence the board in educating management at all levels — including governing boards. They should also ensure that IoT security concerns are integrated into the device design/build phases of product development.