News & AnalysisSecurity

Boards Pay Little Attention To IoT Security Risks, Shows Study

The IoT threat landscape is expanding rapidly; yet many companies are not assigning accountability or ownership to the management of IoT risks.


Researchers have identified a significant increase in the number of breaches and attacks related to the Internet of Things (IoT). The new Ponemon Institute report states that most companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies. .

Released by the Santa Fe Group, authorities in risk management and the managing agent of the Shared Assessments Program, observes that IoT risks is stemming from a lack of security in IoT devices. Ponemon Institute identified a sizable increase in the number of organizations reporting an IoT-related data breach. In 2017, only 15% of survey participants had suffered an IoT-related data breach. That number jumped to 26% in this year’s report, which surveyed over 600 CIOs, CISOs, chief risk officers in the US and other regions including India.

Over the last year, 23% of respondents said they experienced a cyber-attack and 18% said they had a data breach caused by unsecured IoT devices among third-party vendors. Even those who have yet to identify a breach feel certain that the future of IoT will be weighed down by risk.

The CIO/CISOs and risk officers surveyed said that they have no centralized accountability to address or manage IoT risks. Less than half of company board members approve programs intended to reduce third party risk. Only 21 percent of board members are highly engaged in security practices and understand third party and cybersecurity risks in general. More than 80 percent of respondents believe their data will be breached in the next 24 months.

“This study proves it’s no longer a matter of if but when and board members of organizations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into your network, workplace and supply chain,” said Cathy Allen, founder and CEO of The Santa Fe Group, Santa Fe, NM. “The study shows that there’s a gap between proactive and reactive risk management. The time to address this issue is now and not later.”

This year’s study shows where improvements are critically needed in the following areas:

  • While respondents believe a positive tone at the top is important to minimizing business and third-party risks, few companies represented in this study are making board-level governance an essential part of their risk management program.
  • The IoT threat landscape is expanding rapidly; yet many companies are not assigning accountability or ownership to the management of IoT risks.
  • Staffing and budgets are not adequate to manage third party IoT risks.
  • Third party risk management (TPRM) programs should include IoT risks in order to evolve and mature their practices.
  • IoT risk assessment and due diligence must move from TRUST assurance to VERIFY control validation techniques.
  • Companies should be prepared for IoT regulatory oversight to rise.
  • Most companies do not conduct employee training programs on the risks created by IoT devices. Such training must begin now.

Leave a Response