Third-Party IoT Risk: Like Leaving the Front Door Unlocked

The Ponemon Institute has released its third annual study on third-party IoT risk in partnership with Shared Assessments. The study is full of insights on where organizations are in terms of their third-party risk management maturity, and specifically how their programs are accounting for the growth – and accordant risk – in IoT devices. I recommend you download and read the full report for details.

A few things really stood out to me in the report and I wanted to enumerate those here. Namely, that despite awareness of IoT risks, most organizations aren’t doing enough. I’ll review some steps that can be taken to overcome what you don’t know.

Summary of relevant findings*

I won’t detail all the findings from the report; it’s best if you review that on your own. Instead, I wanted to call out some of the data and conclusions regarding IoT risks here, and how you can begin addressing those today.

• There are demonstrated examples of data breaches caused by third-party unsecured IoT devices. In fact, 18 percent of organizations according to the study experienced such a breach.
• And, 82 percent of organizations responding to the study indicate there is a likelihood of a data breach caused by a third-party’s unsecured IoT devices happening in the next 24 months.
• But even though the report states that 68 percent of respondents say third party risks are increasing because of the rise in IoT, many companies’ risk management practices are not mature – or mature enough to handle this growth.
• In fact, less than a third of organizations are monitoring their third parties’ use of IoT.
• Why? Among other reasons, the inability to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach (55 percent of respondents) and the difficulty in managing the complexities of IoT platforms because of the number of third parties.

The study goes on to say that reviews of third-party risk programs and policies are primarily reactive or ad-hoc, with 39 percent of respondents saying reviews are conducted every two years or not on a regular basis or only if a third party has a security incident (18 percent of respondents).

The bottom line: It takes a breach before third-party risk policies and programs are reviewed.

Like leaving the front door unlocked for anyone to enter.

A reactive and inconsistent approach to monitoring and addressing third-party risks has shown time and again to be insufficiently agile for today’s organizations. In the case where IoT devices are involved, not monitoring how they are leveraged by your third-party vendors is like giving the keys to your network out to anyone who asks!

To close and protect access to the front door of your organization, consider taking the following four (4) steps:

1. Perform a deep, controls-based assessment on your third parties as it relates to their usage of IoT devices. Several control frameworks (e.g. ISO, NIST, etc.) maintain controls and sub-controls questions that can be leveraged alongside the SIG to help you assess what people, process, and technology is in place. Specific questions to ask include those around:

• IoT employee education and training
• Maintaining network segmentation
• Managing embedded device credentials
• Controlling administrative privileges
• Encryption
• Device discovery
• Vulnerability and patch management

2. As you wait for the results of the assessments to come in, perform monitoring of your third-party partners’ external networks. This scanning will help reveal potential configuration risks (e.g. SSL, DNS, app security), and threat-event-based risks (e.g. data breaches, IP threats, phishing events, etc.) in between your deep controls-based assessments. The results of this scan, plus what comes of the assessments performed in #1 above will inform your overall risk posture and help you be more proactive in reducing IoT risks.

3. Educate your board and senior leadership on the risks posed to your business by third parties through reporting and dashboarding. As we discussed in last week’s blog on TPRM maturity, it’s all about context.

4. Develop specific risk classifications and rules based on IoT. Establishing new TPRM programs or maturing existing programs based on industry best practices is hard work. By baselining the essential components of a comprehensive TPRM program you ensure clear definition of objectives and achievable milestones and documented processes, so you are responding less.

Next steps

By taking some quick steps, like those noted above, you can gain greater visibility and control over how your partners’ IoT devices and strategy impacts your own organization. For more on third-party risk management best practices, contact us today for a strategy session.

*All figures taken directly from the Ponemon/Santa Fe Group report, with no modification.