Organizations are increasingly worried about the security risks of the Internet of Things, but have a few action plans for dealing with them, according to a new report by the Ponemon Institute and the Shared Assessments Program, an industry-standard body focused on third-party risk assurance.

Ponemon surveyed 533 people who have a role in risk management across a broad range of industries that are likely to adopt IoT. Researchers found that 76 percent say a distributed denial-of-service attack involving an unsecured IoT device is likely to hit them within the next two years and 94 percent say that it is likely that a security incident related to unsecured IoT devices or applications could be catastrophic for their organization.

Despite this perceived risk, corporate boards seem to be sweeping the problem under the rug. Only 30 percent of respondents say their organizations are making it a priority to manage third-party IoT risks, and only 25 percent say their board wants assurance that IoT risks among third parties are being attended to.

“What’s shocking about these findings is the complete disconnect between understanding the severity of what a third-party security breach could mean for businesses, and the lack of preparedness and communication between departments,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a prepared statement.

Surge in use

The research validates the anticipated growth in use of intelligence devices such as thermostats, sensors and smart cameras, with respondents predicting that the number of connected devices in their organizations will double over the next two years to an average of 18,631. Respondents say the rapid deployment is being driven in large part by the urgency to find new ways to innovate in their business, and 61 percent say adoption of cloud computing is being driven, in part, by the need to innovate with IoT.

But at what cost? IoT introduces a host of new devices built by third parties, many of which are unknown to the information technology organization. Only 44 percent of respondents to the survey say their organization can protect their network or enterprise systems from risky IoT devices. Of the 56 percent of companies that have a third-party risk management program in place, only 24 percent rate that as highly effective. As result, fewer than half say their organization has the ability to protect their network or enterprise from risks introduced by IoT.

Specifically, less than 20 percent have modified existing training and awareness programs to cover the secure use of IoT devices. About the same number say their existing on-boarding processes don’t cover these new members of the network. A third say their organizations don’t evaluate IoT security and privacy practices before engaging in a business relationship with a third party.

Part of the problem is lack of visibility into what is already connected. More than 70 percent of respondents say they only know some of the physical objects connected to their network and 35 percent say they don’t know any of them. Fewer than one in six organizations maintains an inventory of connected devices and 85 percent have no centralized control over them. When it comes to controlling devices that pose a risk, half rely upon contractual agreements and only one in eight use specialized technologies.

“The study definitively demonstrates that IoT security is not being effectively addressed by risk management programs, is not regularly reported and is not currently considered a high priority with most governing boards charged with overseeing enterprise risk,” Ponemon concludes. Among the researchers’ recommendations: Include third-party and IoT risks at all governance levels, and update asset management and inventory systems to include this new class of devices. Researchers also urge companies to develop sourcing and procurement requirements that ensure that only secure devices are attached to the network.

Image: Ponemon Institute