IoT-related data breaches on the rise, research shows

Unsecured IoT hardware affects consumers and enterprises both, but according to the latest Ponemon Institute study, the risks are considerably greater when people are not aware how many smart devices they are actually stocking.

Companies are increasingly at risk of incurring an IoT-related data breach due to an unsecured smart device. In a study conducted for The Santa Fe Group, Ponemon researchers noticed a dramatic increase in IoT-related breaches since 2017 – from 15 percent to 26 percent. Researchers caution that the number should be even greater because most organizations don’t have an exact assessment of their IoT fleet.

“Cyberattacks, data breaches and overall business disruption that can be caused by unsecured IoT devices in the workplace and used by third parties are increasing because companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies,” the report’s authors say.

Of the organizations surveyed, none had a centralized accountability process to address or manage IoT risks. Company board members aren’t exactly scrambling to approve programs intended to reduce third party risk. Furthermore, only two in ten board members are “highly engaged” in cyber-security matters. And 80 percent of those board members indeed expect to incur a breach in the next two years.

“This study proves it’s no longer a matter of if but when and board members of organizations need to pay close attention to the issue of risk when it comes to securing a new generation of IoT devices that have found their way into your network, workplace and supply chain,” said Cathy Allen, founder and CEO of The Santa Fe Group. “The study shows that there’s a gap between proactive and reactive risk management. The time to address this issue is now and not later.”

While few companies are making board-level governance a priority, the IoT threat landscape is continuously expanding. Experts recommend that companies begin assigning ownership to the management of IoT risks, allocate adequate staffing and budgets, add IoT risks to risk management programs, and conduct employee training programs on the risks created by IoT devices. Lastly, but equally important, they warn: “Companies should be prepared for IoT regulatory oversight to rise.”

One such regulation is California’s ban on weak default passwords in IoT hardware. The new legislation goes into effect next year and asks of device manufacturers to ensure that each device comes with a unique password and / or require users to generate their own.