Ponemon’s Third Annual Study on Third Party IoT Risk: Companies Don’t Know What They Don’t Know

Third Party Risk Factors Require More Board Level Attention on IoT

SANTA FE, N.M.–(BUSINESS WIRE)–The Santa Fe Group, authorities in risk management and the managing
agent of the Shared
Assessments Program
, today released the results of the Third Annual
Ponemon Institute’s study on Third Party Risk for the Internet of Things
(IoT). Ponemon reports a dramatic increase in IoT-related data breaches
specifically due to an unsecured IoT device or application since 2017 –
from 15 percent to 26 percent – and the results might actually be
greater because most organizations are not aware of every unsecure IoT
device or application in their environment or from third party vendors.

More alarmingly, organizations surveyed have no centralized
accountability to address or manage IoT risks. Less than half of company
board members approve programs intended to reduce third party risk and
only 21 percent of board members are highly engaged in security
practices and understand third party and cybersecurity risks in general.
More than 80 percent of respondents believe their data will be breached
in the next 24 months.

“This study proves it’s no longer a matter of if but when and board
members of organizations need to pay close attention to the issue of
risk when it comes to securing a new generation of IoT devices that have
found their way into your network, workplace and supply chain,” said
Cathy Allen, founder and CEO of The Santa Fe Group, Santa Fe, NM. “The
study shows that there’s a gap between proactive and reactive risk
management. The time to address this issue is now and not later.”

This year’s study shows where improvements are critically needed in the
following areas:

  • While respondents believe a positive tone at the top is important to
    minimizing business and third-party risks, few companies represented
    in this study are making board-level governance an essential part of
    their risk management program.
  • The IoT threat landscape is expanding rapidly; yet many companies are
    not assigning accountability or ownership to the management of IoT
  • Staffing and budgets are not adequate to manage third party IoT risks.
  • Third party risk management (TPRM) programs should include IoT risks
    in order to evolve and mature their practices.
  • IoT risk assessment and due diligence must move from TRUST assurance
    to VERIFY control validation techniques.
  • Companies should be prepared for IoT regulatory oversight to rise.
  • Most companies do not conduct employee training programs on the risks
    created by IoT devices. Such training must begin now.

A complete copy of the study can be downloaded here.

About the Ponemon Institute

Founded in 2002 by Dr. Larry Ponemon and Susan Jayson, Ponemon Institute
conducts independent research on data protection and emerging
information technologies. Our goal is to enable organizations in both
the private and public sectors to have a clearer understanding of the
trends in regulations and the threat landscape that will affect the
collection, management and safeguarding of information assets. Ponemon
Institute research informs organizations on how to improve upon their
data protection initiatives and enhance their brand and reputation as a
trusted enterprise.

Ponemon Institute is the parent organization of the Responsible
Management (RIM) Council. The RIM Council draws its name for the
practice of Responsible Information Management, an ethics-based
framework and long-term strategy for managing personal and sensitive
employee, customer and business information. Members of the RIM Council
represent a cross-section of Fortune 500 companies and are champions of
privacy and data protection in their organizations.

About the Shared Assessments Program

As the only organization that has uniquely positioned and developed
standardized resources to bring efficiencies to the market for more than
a decade, the Shared Assessments Program has become the trusted source
in third party risk assurance. Shared Assessments offers opportunities
for members to address global risk management challenges through
committees, awareness groups, interest groups and special projects. Join
the dialog with peer companies and learn how you can optimize your
compliance programs while building a better understanding of what it
takes to create a more risk sensitive environment in your organization.

About The Santa Fe Group

The Santa Fe Group’s risk management experts work collaboratively with
organizations worldwide to identify valuable trends, risks, and
vulnerabilities, and to advise, educate, and empower organizations in
the areas of cybersecurity, third party risk, emerging technologies, and
program management. The Santa Fe Group is the managing agent of the
membership-based Shared Assessments Program, which helps many of the
world’s leading organizations manage and protect against third party IT
security risks.


Dan Chmielewski
Madison Alexander PR, Inc.
[email protected]

error: Content is protected !!