New Research Reveals Lack of Oversight Regarding Security of Third Party IoT Implementation

Report from the Ponemon Institute and Shared Assessments indicates 76 percent of those surveyed believe an IoT cyber attack will occur within the next two years, but only 25 percent of board members want assurance that IoT risks are assessed

SANTA FE, NM--(Marketwired - May 31, 2017) - The Ponemon Institute, an independent research firm focused on privacy, data protection and information security policy, and the Shared Assessments Program, the industry-standard body on third party risk assurance, today released findings from its annual survey, The Internet of Things (IoT): A New Era of Third Party Risk. The findings uncovered a high rate of concern among organizations about the security of IoT, yet a gap in understanding of how to mitigate and communicate the risks, especially as it relates to third parties. 

The report was distributed to understand organizations' level of awareness and preparedness for the upcoming enterprise IoT wave. Respondents were asked to evaluate their perception of IoT risks, the state of current third party risk management programs, as well as current governance practices to defend against cyber attacks.

The Ponemon Institute surveyed 553 individuals in industries such as financial services, healthcare and others, who have a role in the risk management processes within their organizations and determined the following key findings:

  • 76 percent say a DDoS attack involving an unsecured IoT device is likely to occur within the next two years.
  • 94 percent of those surveyed noted that a security incident related to unsecured IoT devices or applications could be catastrophic.
  • 69 percent of respondents do not keep their CEO and board informed about the effectiveness of the third party risk management program.
  • Only 44 percent say their organization has the ability to protect their network or enterprise systems from risky IoT devices.
  • 77 percent of respondents are not considering IoT-related risks in their third party due diligence.
  • 67 percent of those surveyed are not evaluating IoT security and privacy practices before engaging in a business relationship.

"More and more enterprises are turning to IoT to improve business outcomes and this growth is creating a breeding ground for cyber attacks," said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. "What's shocking about these findings is the complete disconnect between understanding the severity of what a third party security breach could mean for businesses, and the lack of preparedness and communication between departments."

Participants in the study indicated they are aware that IoT introduces new security risks and vulnerabilities into their organizations. "From our research findings, it appears only 25 percent of respondents say that their boards require assurances that IoT risks are being assessed, managed and monitored appropriately. This leaves opportunity and need for board education and oversight best important follow up to this study for the Shared Assessments Program, " said Catherine Allen, Chairman and CEO of The Santa Fe Group, and corporate board director.

Other efforts to mitigate third party risks in the IoT ecosystem are lagging. According the research, companies are relying on legacy technologies and governance practices to address potential threat vectors, with 94 percent indicating they still use a traditional network firewall to mitigate threats. Such risks include the ability of criminals to harness IoT devices, botnets to attack infrastructure and launch points for malware propagation, SPAM, DDoS attacks and anonymizing malicious activities. 

"Ready or not, IoT third party risk is here. Given the proliferation of connected devices, today's cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever," said Charlie Miller, Senior Vice President with the Shared Assessments Program. "In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats. New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution."

For more information on the report, visit:

About the Shared Assessments Program
The Shared Assessments Program has been setting the standard in third party risk management since 2005. Member-driven development of program resources helps organizations to effectively manage the critical components of the third party risk management lifecycle by creating efficiencies for conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. Program Tools are kept current with regulations, industry standards and guidelines and the current threat environment; and are adopted globally across a broad range of industries both by service providers and their customers. The Shared Assessments Program is managed by The Santa Fe Group, a strategic advisory company based in Santa Fe, New Mexico. For more information, please visit

About Ponemon Institute
Ponemon Institute conducts independent research and education that advances information security, data protection, privacy and responsible information management practices within businesses and governments throughout the world. Our mission is to conduct high quality, empirical studies on critical issues that affect the protection of information assets and IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards.

Contact Information:

Nicole Davidow