Major Uptick in IoT-Related Breaches and Attacks
Researchers have identified a significant uptick in breaches and attacks related to the internet of things (IoT), according to a new Ponemon Institute report, The Third Annual Study on Third Party IoT Risk: Companies Don’t Know What They Don’t Know.
Released today by the Santa Fe Group, the study yielded 35 key findings on IoT risks stemming from a lack of security in IoT devices. Ponemon Institute identified a sizable increase in the number of organizations reporting an IoT-related data breach. In 2017, only 15% of survey participants had suffered an IoT-related data breach. That number jumped to 26% in this year’s report, which surveyed 625 risk management and governance experts.
“The actual number may be greater as most organizations are not aware of every unsecure IoT device or application in their environment or from third party vendors,” the report said. In fact, the study found that more IoT security issues are being reported at the third-party level.
Over the last year, 23% of respondents said they experienced a cyber-attack and 18% said they had a data breach caused by unsecured IoT devices among third-party vendors. Even those who have yet to identify a breach feel certain that the future of IoT will be weighed down by risk.
When asked whether it is likely that their organizations will experience a cyber-attack such as a denial-of-service (DoS) attack caused by unsecured IoT devices or applications in the next 24 months, 87% of respondents said yes, according to the report.
Respondents tended to have similar perceptions about risks from the wider IoT partner ecosystems, with 81% expecting a DoS attack and 82% anticipating a data breach caused by a lack of security in the devices or applications of their third parties.
Despite these perceptions, the study found that only 9% of respondents said their companies have education policies to inform employees about IoT third-party risks and nearly a third (32%) do not have a designated person in their department or organizations who is responsible for managing IoT risks.
Source: Information Security Magazine