By Stuart Corner of IoT Australia
The Ponemon Institute has called on organisations to conduct, as a matter of urgency, employee training programs on the risks created by IoT devices.
Its view comes from the results of a survey sponsored by third party risk management company Shared Assessments in which Ponemon found few companies conducting training and awareness programs to minimise the risks created by their own employees and associated third parties.
“Most companies do not conduct employee training programs on the risks created by loT devices,” it said. “Companies are very slow to adopt training programs specifically on loT risks.”
Very few respondents (11 percent) said their organisation informed and educated employees and third parties about the risks created by loT devices in the workplace and what steps were needed to minimise the risk.
However, 27 percent of respondents said their organisation planned to do so in the next six months, and 39 percent said they would do so in the next 12 months.
Cyber attack via IoT inevitable
According to Ponemon, it’s not if, but when organisations will have a security exploit caused by unsecured loT devices or applications.
Eighty-seven percent of respondents believed a cyber attack, such as a distributed denial of service (DDoS), very likely to occur in the next two years, an increase from 82 percent of respondents in last year’s study. Similarly, 84 percent of respondents said it was very likely their company would have a data breach caused by an loT device or application.
Ponemon also found a significant gap between the monitoring of loT devices in the workplace and the loT of third parties. Half of respondents said their organisations were monitoring the devices used in their organisations, less than a third were monitoring their third parties’ use of loT.
IoT risk management immature
Ponemon says a gap also exists between awareness of loT risks and the maturity of risk management programs.
“While 68 percent of respondents say third party risks are increasing because of the rise in loT, many companies’ risk management practices are not mature,” it says.
Specifically, only 45 percent of respondents said their risk management process was aligned with its business goals and only 34 percent of respondents said there was an approved risk appetite framework incorporating clearly expressed risk tolerance levels. Moreover, Ponemon says, sufficient budget and staffing are not being allocated to manage third party loT risks.
IoT device risks not being classified
Ponemon also found few organisations completing risk classifications based on the loT device’s functionality or type of data. Only 43 percent of respondents said they managed loT risk by classifying the functionality the loT provides and only 49 percent classified the risk based on the type of data processed or accessed by the loT.
However, the use of scanning to identify the type of IoT device is on the increase. Respondents reported their organisations using technologies to scan and identify loT devices in the workplace had increased from 49 percent to 63 percent since 2018. However, about half of respondents said there was no set schedule.
Stuart Corner is editor of IoT Australia
Subscribe to our free @AuManufacturing newsletter here.