Security

97% of risk pros say IoT cyberattack would be 'catastrophic' for their business

Internet of Things devices are expanding in the enterprise, but only 46% of businesses have a policy to disable risky devices, according to Ponemon Institute and Shared Assessments.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • 97% of risk professionals said it is likely that a data breach or cyber attack caused by unsecure IoT devices could be catastrophic for their organization. — Ponemon Institute and Shared Assessments, 2018
  • 15% of risk professionals have an inventory of most of their IoT applications. — Ponemon Institute and Shared Assessments, 2018

Internet of Things (IoT) devices continue to infiltrate the enterprise, as companies seek more efficient ways of doing business, according to a Monday report from the Ponemon Institute and Shared Assessments. The average number of IoT devices in the workplace is expected to increase to 24,762 devices—up from 15,874 last year, the report found.

However, with increasing numbers of connected devices comes growing risk: Of the 605 professionals surveyed who participate in corporate governance or risk oversight activities, 97% said a security incident related to unsecured IoT devices could be "catastrophic" for their organization. Another 60% expressed concerns that their businesses' IoT ecosystems are vulnerable to a ransomware attack, according to the report.

Risk professionals are aware of the cybersecurity dangers posed by these devices, as 81% said that a data breach caused by an unsecured IoT device is likely to occur in the next 24 months. However, many still fail to implement basic cyber hygiene practices related to these devices, the report found.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

Only 45% of respondents said they believe it's possible to keep an inventory of IoT devices. Of that 45%, only 19% said they actually have an inventory of at least half of their devices. The vast majority (88%) said the lack of centralized security control was a primary reason for not creating a full inventory.

Only 15% of those surveyed said they have an inventory of most of their IoT applications. And 46% said they have a policy in place to disable an IoT device that could pose a risk to their organization.

Nearly two-thirds of respondents (60%) said their company has a third party risk management program. While more than half said they rely on contractual agreements to mitigate any third party IoT risk, only 26% said they actually evaluate the IoT risk of third parties in their due diligence process.

"The good news is that some companies are becoming more aware of third party cyber risks and are actually implementing third party risk management programs," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a press release. "The bad news is that many organizations continue to struggle with the security risks posed by IoT, and are therefore not prepared to deal with the catastrophic consequences of a breach."

To better address IoT risks and improve third party risk management, companies should proactively identify and replace unsecure IoT devices, Ponemon said in the release. They should also designate accountability for monitoring the use and deployment of IoT devices, and collaborate with third parties to find techniques to manage and mitigate IoT device and application risks, he added.

Also see

istock-541003850.jpg
Image: iStockphoto/MartialRed

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox