A new survey shows a high rate of concern among organizations about the security of the Internet of Things (IoT), yet a gap in understanding how to mitigate and communicate the risks, especially as it relates to third parties.

That’s according to “The Internet of Things (IoT): A New Era of Third Party Risk” by the Ponemon Institute and the Shared Assessments Program. The annual survey included more than 550 people in industries such as financial services, health care and others, who have a role in the risk management processes within their organizations.

Shared Assessment/Santa Fe Group’s Charlie Miller

Charlie Miller, senior vice president at Shared Assessments/The Santa Fe Group, tells Channel Partners that IT professionals have an important opportunity to educate their boards about the importance of IoT risk management, both within the four walls of their organization and with third parties who provide support for critical activities.

“Making IoT security an important part of organizational risk culture from the top down will make it far easier to obtain the right resources (both people and dollars) to build an effective IoT risk management program,” he said. “Headline-making, IoT-enabled distributed denial of service (DDoS) attacks should reinforce the risk magnitude. IT professionals are uniquely equipped, and have enormous experience in integrating technologies into business processes and operations to ensure the appropriate controls are in place. Educating critical stakeholders and to reinforce the urgency of stepping up IoT risk management efforts is clearly a role that IT channel can participate and as appropriate lead industry IoT standards and collaboration efforts.”{ad}

Among the key findings:

Participants in the study indicated they are aware that IoT introduces new security risks and vulnerabilities into their organizations.

“Without a doubt, IT professionals understand the potential risks IoT presents,” Miller said. “That said: Only 30 percent say that managing third party IoT risks is an organizational priority; 27 percent say that their organization allocates sufficient resources to managing third party IoT risks; and only 25 percent say that their governing boards require assurances that third party IoT risks are assessed and managed properly. It is imperative that as new technologies are included in channels that security is designed and built into those devices, features are understood and only enabled to support business requirements.”

According to the survey, companies are relying on legacy technologies and governance practices to address potential threat vectors, with 94 percent indicating they still use a traditional network firewall to mitigate threats. Such risks include the ability of criminals to harness IoT devices, botnets to attack infrastructure and launch points for malware propagation, spam, DDoS attacks and anonymizing malicious activities.

“The percentage of organizations that have a complete inventory of all IoT devices is exceedingly small, only 5 percent,” Miller said. “Asked why, 85 percent of survey respondents say there is no centralized control over IoT devices in their organizations, and 56 percent say they don’t have the resources to complete an inventory. Having clearly defined ownership, accountability and a complete understanding of the IoT environment within an organization, its supply chain and delivery channels are the most basic building block(s) required to develop an effective IoT security program. The survey shows how far we have to go, and it looks to be a long journey.”