A new Ponemon Institute study on the internet of things (IoT) and risk found a “dramatic increase” in IoT-related data breaches — 26%, up from 15% in 2017.

Causes for the breaches were specifically tracked to an unsecured IoT device or application. While 26% of respondents reported a data breach and 24% reported a cyberattack in the last year, there was also a marked increase in IoT exploits at the third-party level.

A drill down of the results showed 18% experienced a data breach and 23% experienced a cyberattack caused by a third party’s unsecured IoT devices in the last year. That’s up from 14% and 18%, respectively, in the previous year.

Santa Fe Group’s Cathy Allen

“This study proves it’s no longer a matter of if, but when, and board members of organizations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into your network, workplace and supply chain,” said Cathy Allen, founder and CEO of The Santa Fe Group, a risk management firm which sponsored the study.

The vast majority of respondents expect third-party IoT attacks to escalate:  Eighty-one percent expect an attack such as a DoS, and 82% anticipate a data breach caused by a third party’s unsecured IoT devices or applications. That’s up from 77% and 75%, respectively, in the previous study.

However, just 9% said that their organizations currently inform and educate employees and third parties about the risks created by IoT devices. Further, nearly a third (32%) of respondents have yet to charge one person or department in their organization to be responsible for managing IoT risks.

“The study shows that there’s a gap between proactive and reactive risk management. The time to address this issue is now and not later,” Allen said.

Problem areas with IoT devices and applications mirror those found with other types of hardware and applications, including mobile. But additional challenges exist as well, such as no built-in security measures and badly managed data monetization models, making the data easily accessible for many entities. While many of these IoT risks are known, little is being done at the manufacturer and developer level to mitigate them. Things are just as dire on the buyer/user end as this study points out. Staffing and budgets are not adequate to manage third party IoT risks. Further, third party risk management (TPRM) programs often do not include IoT risks, making it harder to improve practices and processes over time.