With the proliferation of IoT devices and networks that extend connectivity beyond the plant walls, it’s not surprising that companies are experiencing data breaches. What is surprising is that reported data breaches have grown from 15% of companies using IoT in 2017 to 26% today. And that doesn’t count the companies that don’t know they’ve been breached.
|A Ponemon Institute study on cybersecurity risk for third-part deployments reveals growing risks of data breaches. (Image source: Ponemon Institute.
A Ponemon Institute report conducted by The Santa Fe Group – The Third Annual Study on Third Party IoT Risk: Companies Don’t Know What They Don’t Know – reveals a dramatic increase in IoT-related data breaches specifically due to unsecured IoT devices or applications. In the two years since 2017, the number of breaches nearly doubled. The results might actually be greater because most organizations are not aware of every unsecure IoT device or application from third party vendors.
More alarmingly, organizations surveyed have no centralized accountability to address or manage IoT risks. Fewer than half of company board members approve programs intended to reduce third party risk and only 21% of board members are highly engaged in security practices and understand third party and cybersecurity risks in general. More than 80% of respondents believe their data will be breached in the next 24 months.
A Wide Range of New Attacks
The attacks on IoT connectivity are varied in nature, from old-style hacking to sophisticated organizational breaches. “Certainly, we’re seeing more ransomware related attacks, but we’re also seeing an increase in nation-state – or quasi-nation state – attacks,” Charlie Miller, senior advisor at The Santa Fe Group, told Design News. “Other studies also show an increase in the number of data breaches. I’m not certain if the increase is due to greater regulatory scrutiny, heightened internal privacy awareness, or if it’s simply an increased number of attackers using IoT as the least secure way in.”
The study also tracked how companies are responding to security issues. Miller noted a difference in the response to attacks by companies that deployed their own IoT system versus companies that used a vendor to deploy IoT. “We are seeing contradictory evidence from two recent studies,” said Miller. “A recent study on IoT systems that were not deployed by third-party vendors suggests a more positive picture, while the Third Party Risk Benchmarking Survey showed some slippage in terms of the percentage of companies with incident response and recovery plans in place.”
Who’s in Charge of Cybersecurity?
The IoT study reveals that 67% of companies have incident response plans that cover security breaches, but only 33% include contingencies for security breaches that specially result from an IoT security incident. “We know from other research that risk related internal communications and education are not where we want them to be broadly,” said Miller. “Since IoT is an emerging area of risk, organizations have largely not integrated IoT risks into existing risk education programs.”
Not surprisingly, companies that emphasize risk mitigation were best prepared to deal with IoT breaches. ”There is evidence to suggest that organizations with strong risk cultures are more likely to develop effective IoT risk education programs more quickly,” said Miller. “If you examine the energy and effort it has taken to inform individuals about the risk associated with email and phishing related attacks, it suggests that IoT education efforts should be more challenging.”
The report indicates that 32% respondents could not identify one person responsible for security. If one person isn’t identified as responsible for security, does that mean nobody is responsible? “Only 32% of companies have one individual in charge of security. That’s not a good number. It indicates a failure in risk governance,” said Miller. “Larger organizations often have single points of responsibility within multiple affiliates. That’s effective. When you don’t have one person responsible for collecting and maintaining data, that’s a surefire recipe for failure.”
Rob Spiegel has covered automation and control for 19 years, 17 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.
This summer (August 27-29), Drive World Conference & Expo launches in Silicon Valley with North America's largest embedded systems event, Embedded Systems Conference (ESC). The inaugural three-day showcase brings together the brightest minds across the automotive electronics and embedded systems industries who are looking to shape the technology of tomorrow.