The Ponemon Institute has released its third annual study on third-party IoT risk in partnership with Shared Assessments. The study is full of insights on where organizations are in terms of their third-party risk management maturity, and specifically how their programs are accounting for the growth – and accordant risk – in IoT devices. I recommend you download and read the full report for details.
A few things really stood out to me in the report and I wanted to enumerate those here. Namely, that despite awareness of IoT risks, most organizations aren’t doing enough. I’ll review some steps that can be taken to overcome what you don’t know.
Summary of relevant findings*
I won’t detail all the findings from the report; it’s best if you review that on your own. Instead, I wanted to call out some of the data and conclusions regarding IoT risks here, and how you can begin addressing those today.
The study goes on to say that reviews of third-party risk programs and policies are primarily reactive or ad-hoc, with 39 percent of respondents saying reviews are conducted every two years or not on a regular basis or only if a third party has a security incident (18 percent of respondents).
The bottom line: It takes a breach before third-party risk policies and programs are reviewed.
Like leaving the front door unlocked for anyone to enter.
A reactive and inconsistent approach to monitoring and addressing third-party risks has shown time and again to be insufficiently agile for today’s organizations. In the case where IoT devices are involved, not monitoring how they are leveraged by your third-party vendors is like giving the keys to your network out to anyone who asks!
To close and protect access to the front door of your organization, consider taking the following four (4) steps:
1. Perform a deep, controls-based assessment on your third parties as it relates to their usage of IoT devices. Several control frameworks (e.g. ISO, NIST, etc.) maintain controls and sub-controls questions that can be leveraged alongside the SIG to help you assess what people, process, and technology is in place. Specific questions to ask include those around:
2. As you wait for the results of the assessments to come in, perform monitoring of your third-party partners’ external networks. This scanning will help reveal potential configuration risks (e.g. SSL, DNS, app security), and threat-event-based risks (e.g. data breaches, IP threats, phishing events, etc.) in between your deep controls-based assessments. The results of this scan, plus what comes of the assessments performed in #1 above will inform your overall risk posture and help you be more proactive in reducing IoT risks.
3. Educate your board and senior leadership on the risks posed to your business by third parties through reporting and dashboarding. As we discussed in last week’s blog on TPRM maturity, it’s all about context.
4. Develop specific risk classifications and rules based on IoT. Establishing new TPRM programs or maturing existing programs based on industry best practices is hard work. By baselining the essential components of a comprehensive TPRM program you ensure clear definition of objectives and achievable milestones and documented processes, so you are responding less.
By taking some quick steps, like those noted above, you can gain greater visibility and control over how your partners’ IoT devices and strategy impacts your own organization. For more on third-party risk management best practices, contact us today for a strategy session.
*All figures taken directly from the Ponemon/Santa Fe Group report, with no modification.