The Internet of Things (IoT) is changing everything, in both good and bad ways, and we just aren’t prepared for the problems that will arise from this idea that everything has to be connected.
That’s not just my cynical opinion. Ponemon Institute and Shared Assessments Program put out a report, The Internet of Things (IoT): A New Era of Third Party Risk, and found that almost everyone (97 percent) believes they’ll have to deal with a catastrophic IoT-related event within the next two years. There are plenty of reasons why: the increase of IoT devices in the average workplace (nearly 25,000, up about 10,000 devices from last year); unsecure applications on IoT devices; and concerns over third-party contracts and control over the devices.
While the overall topic of IoT risk is fascinating, especially in regards to third parties, for this blog post, I’m sticking to the risk management angle and how IoT adds a complicated layer.
Why is risk management an issue for IoT? One reason is that it is difficult to create an accurate risk assessment. According to the report, just 45 percent of respondents say they believe it's possible to keep an inventory of IoT devices. Only 19 percent of that group admitted they have an inventory of at least 50 percent of the devices within their organization. That leaves 12,500 devices unaccounted for in an organization that is trying to account for IoT. The reason for this low number, the report stated:
The primary reason, according to 88 percent of respondents, is no centralized control over IoT devices and applications in the workplace. Sixty-four percent of respondents do not keep an inventory of IoT applications, mainly because of a lack of centralized control over these applications.
If a threat is found on a device? Fewer than half are prepared with a policy to disable a risky IoT device within their own company. There’s also concern surrounding third-party contracts, as the majority aren’t monitoring third-party contract compliance.
As Charlie Miller, senior vice president with the Shared Assessments Program, said in a formal statement:
The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks. With the increasing number of major data breaches, ransomware, and distributed denial of service attacks in the news daily, and senior executives losing their jobs as a result, it's critical that organizations assign accountability and ownership of IoT-related oversight across their organization, ensure that IoT security is taken seriously, and educate management at all levels.
Without the ability to have an accurate look at all the devices on the network, organizations are setting themselves up for serious problems. Do we need to start rethinking risk assessments and risk management tools to better incorporate the increases of IoT?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba