The internet of things offers businesses an unprecedented level of visibility and control over their supply chains. But it also opens the door to potentially crippling cyberattacks.
A new study from the Ponemon Institute reveals a sharp increase in data breaches caused by unsecured, third-party IoT devices. And it suggests that top security experts aren’t doing enough to stop them.
The institute’s third annual study on third-party IoT Risk is subtitled “Companies Don’t Know What They Don’t Know.” Indeed, ignorance about the dangers of cyberattacks appears to have heightened the vulnerability of many businesses. IoT-related breaches are up by at least 26 percent since 2017, the study finds. (The number might be even higher, the authors note, because most companies aren’t aware of every unsecure device or application on their premises that originated from third-party vendors.)
At a time when data breaches are becoming endemic, cybersecurity doesn’t appear to be an especially high priority for a lot of companies — at least when it comes to investing resources in that area. Oversight by top management is especially lacking. According to the study, fewer than half of companies’ board members have approved programs intended to reduce third-party risk of cyberattacks. Just 21 percent fully understand the nature of that risk, and are “highly engaged” in security measures needed to address it.
When it comes to anticipating cyber risk, the prevalent attitude seems to be one of fatalism. The study found 87 percent of respondents believing that their own organizations will experience a cyberattack caused by unsecured IoT devices or applications with the next 24 months. And 84 percent expect to experience a data breach within that same time frame.
The latest version of the study draws on 600 qualified respondents and approximately 450 unique companies, according to Larry Ponemon, co-founder of the Ponemon Institute. In what he calla an “eclectic but interesting sampling,” participants included experts in I.T., data protection, third-party technology and regulation.
“Third party” means the full range of vendors, contractors, channel partners and internal affiliates from outside a company’s own I.T. environment, notes Charlie Miller, senior adviser of the Shared Assessments Program, a unit of The Santa Fe Group that specializes in assessing third-party risk.
Outside IoT devices typically take the form of sensors, smart devices, printers, cameras, nest thermostats, voice-activated personal digital assistants — in short, anything containing electronics that’s able to connect to a company’s network.
Despise this panoply of unsecure technology, much of which is introduced into the network by way of employees’ personal devices, management doesn’t view it as a huge risk, says Ponemon. Miller adds that the problem is made worse by a huge increase in the number of IoT devices to have hit the market in recent years.
Each of those devices has a unique IP address and represents a potential point of vulnerability through which hackers or cyber thieves can access proprietary data. Before allowing any of them to be introduced into the network, companies need to understand precisely what the devices intended to do, what kinds of data they are meant to collect, and how that information will be transmitted.
“All of those things are fundamental concepts that have not yet crystallized in this huge IoT space,” Miller says.
In the face of this onslaught of attacks, why aren’t companies being more proactive about preventing them? Ponemon suggests the problem lies in a lack of accountability within organizations. Moreover, IoT devices are seductively convenient to use, with owners giving little thought about how they might be jeopardizing corporate security.
Miller sees some signs of enlightenment among security teams and organizations. Certain industries such as medical device manufacturers are more focused on the issue than others, largely because they are subject to heavy regulation. (The Food and Drug Administration, for example, has “stringent rules about devices to be implanted in people,” Miller says.) New legislation such as the California Consumer Privacy Act is clamping down on merchandisers’ use of consumer data for marketing purposes. In addition, lawmakers are targeting manufacturers with measures that would require higher levels of built-in security for IoT-based devices. (Forbidding, for example, the use of easy-to-crack default passwords, which many users neglect to change.)
Other efforts to tighten up on cybersecurity are being spearheaded by organizations such as the National Institute of Standards and Technology, whose standards are accepted globally, and the Monetary Authority of Singapore, that country’s central bank. Four of the latter’s five recommendations for boosting security are included in the Ponemon study.
“You need to understand what are the devices that you have within your own organization, and are allowing to be used by your third parties,” Miller says. “And you need to make sure that the way in which the devices are attached is segmented from your production department. So if there is a breach, there’s isolation to a non-production segment of your network.”
Education is paramount, says Ponemon, stressing that awareness of cyber risk must run from each individual employee up to the executive suite, as well as to external supply-chain partners and customers.
Miller says companies should undertake use cases before committing to the use of any IoT devices, to determine the potential for misuse. For example, monitoring systems found in modern automobiles could allow hackers to take control of the vehicle remotely. “The transportation industry is looking at this very seriously,” he says.
In the end, it comes down to vigilance on the part of the user. “Cyber hygiene is the responsibility of the individual,” says Ponemon. “That is critical. It isn’t just about IoT — it’s about everything.”