Managing Third-Party IoT Cybersecurity Risks
Lessons-Learned from Shared Assessments/Ponemon Institute’s Survey Results
The Ponemon Institute recently published the results of its Third Annual Study on Third Party IoT Risks(sponsored by Shared Assessments) and the results will surprise few security leaders already grappling with the explosion of third-party Internet-connected devices on their networks. As the cost of deploying IoT (Internet-of-Things) drops and fresh ideas for monetizing these Internet-connected devices emerge in the marketplace, businesses of all sizes are reaching out to third-party specialists for solutions. Business executives are drawn to the promise of IoTas the answer to business problems ranging from manufacturing efficienciesand improved logistics, to attracting new audiences and providing more personalization for consumers.
Naturally, there are downsides to this apparent panacea. Most profoundly, cybersecurity experts are having a difficult time keeping up with the chaotic pace of change and the new risks IoT introduces to organizations. Exacerbating the challenge is a persistent culture – among IoT vendors – that prioritizes speed-to-market over reliability and sustainability. This is merely the latest iteration of a technology development attitude that treats security as too costly and a hinderance to innovation and convenience.
Customers of IoT (both businesses and individuals) also contribute to the insecurity of these internet-connected devices. Users expect these nascent technologies to have reliable cybersecurity built-in but are unwilling to pay the premium necessary to encourage semiconductor (and related) manufacturers to do so. Thus, with few market or regulatory incentives to adopt cybersecurity-by-design into IoT solutions, manufacturers appear to accept certain security risksassociated with IoT. This in turn puts the onus on customers to mitigate against the security risks of IoT devices in their networks.
The 2019 Ponemon study emphasizes the fact that organizations suffer from significant blind spots when addressing IoT-related risks. According to the survey data, firms struggle to understand:
- the extent of IoT-related cyberattacks, data breaches and service disruptions;
- whether their existing safeguards address IoT-specific threats and vulnerabilities;
- who is accountable for IoT risks and security failures;
- how to conduct an effective IoT-focused risk assessment;
- how to improve third-party service provider risk management policies and processes;
- how to train the workforce on IoT-related security risks; and
- what sorts of in-house expertise is required to mitigate IoT-related risks.
The results of this latest research validate what many security leaders already know: IoT is the latest challenge in the never-ending race to manage the pace of change in the business environment. There are no easy solutions to the cybersecurity risks that emerge from increased reliance on third-party vendors to develop and maintain IoT technologies on behalf of corporate clients. As with any major disruptive event, security leaders need to forcefully communicate the strategic importance of managing third-party risks to obtain executive support and budget for new security initiatives focused on controlling the runaway expansion of IoT in the business environment.
About the Author
Adam Stone is Vice President of Consulting Services and Chief Privacy Officer for Minneapolis-based Secure Digital Solutions, Inc.(SDS). Our firm helps firms of all sizes efficiently navigate the complexities of today’s security and privacy challenges. Our seasoned professionals provide the leadership, support and guidance necessary to develop sustainable cybersecurity programs aligned to your business mission and objectives. For information about how your organization can develop a winning strategy for managing third-party security risks, contact us at (952) 544-0234 or email@example.com.