A recent survey by the Ponemon Insitute and the Shared Assessments Program of 553 people with a role in risk management in their organizations found that 94 percent of those surveyed said a security incident related to unsecured IoT devices or applications could be catastrophic.
Still, just 44 percent of respondents said their organization has the ability to protect their network or enterprise systems from risky IoT devices, and only 25 percent said their boards require assurances that IoT risks are being appropriately assessed, managed and monitored.
Additionally, 77 percent of respondents said they don’t consider IoT-related risks in their third party due diligence, and 67 percent don’t evaluate IoT security and privacy practices before engaging in a business relationship.
Just 30 percent of respondents said managing third-party IoT risks is a priority in their organization.
“Ready or not, IoT third party risk is here,” Shared Assessments senior vice president Charlie Miller said in a statement. “Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever.”
“In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats,” Miller added. “New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution.”
In response, the report urges organizations to take the following key steps:
Ensure inclusion of third-party and IoT risks occurs at all governance levels including the board.
Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
Continue to leverage and enhance contracts and policies and expand scope to include IoT specific requirements.
Expand third-party assessment techniques and processes to ensure presence and effectiveness of controls specific to IoT devices.
Develop specific sourcing and procurement requirements to ensure only IoT devices that are designed with security functions included and enabled are considered for product selection or acquisition.
Devise new strategies, technologies and tactics directed specifically at reducing threats posed by IoT devices.
Collaborate with industry experts, peers, associations and regulators to ensure IoT risk management best practices are devised, communicated and implemented.
Include IoT in communication, awareness and training at all levels: board, executive, corporate, business unit and third-party.
Recognize the increasing dependence on technology to support the business and the risk posed by this dependence.
Embrace new technologies and innovations, but not at the expense of security, and ensure security controls are included as fundamental and core requirements.
Seventy-two percent of respondents said the pace of innovation in IoT and the varying standards for security make it hard to ensure the security of IoT devices and applications, and 65 percent said the drive for innovation in the IoT ecosystem requires new approaches to IT strategies and tactics.
Breaches and DDoS Attacks
Strikingly, 78 percent of respondents said a data breach involving an unsecured IoT device is likely to occur within the next two years, and 76 percent said the same of a DDoS attack involving an unsecured IoT device.
The concerns come as DDoS attacks become more and more frequent — according to Nexusguard’s Q1 2017 DDoS Threat Report, DDoS attack frequency surged by 380 percent in the first quarter of 2017, compared to the same time period the previous year.
The percentage of days with attacks larger than 10 Gbps rose significantly between January 2017 (48.39 percent) and March 2017 (64.29 percent).
Radware vice president of security Carl Herberger told eSecurity Planet by email that the rapid proliferation of unsecured IoT devices is driving the increase in DDoS attacks. “The Mirai attack made headlines last year, but it should not be considered a one-off,” he said. “Instead, this event was a predictor of what is to come.”
“Hackers are constantly developing new ways to leverage connected devices with little to no security protections to form larger and larger botnets that are able to execute dangerous and sizable DDoS attacks,” Herberger added. “We’ve seen various botnets appear over the last year, including Hajime, BricketBot and Persirai, demonstrating that IoT devices have become a new battleground for hackers.”
“Until manufacturers, the government, and consumers take a hard look at IoT security, the threat of bigger, more frequent IoT-fueled DDoS attacks will only loom larger,” Herberger said.