Companies Are Largely Unprepared for Internet of Things Cyber Risks, Report Finds

It sounds like the plot of a B-rate horror movie: the creepy, animate doll. But the platinum-haired, denim-clad Cayla doesn’t look so threatening.

Cayla the doll was in the news for having the unusual talent of spying on your children. The dollmaker’s website extols Cayla for her interactivity, which includes reading stories, sharing photos and talking — in fact, answering virtually any question you pose her.

German authorities, however, were less enthused.

The federal agency overseeing electronic privacy issued a ban on the doll last month, citing Cayla’s ability to collect and transmit everything it hears to Nuance, a U.S.-based voice recognition company that, as NPR reported, also counts intelligence agencies among its clients.

IoT is a Big Deal for Companies

The fact that the internet of things (IoT) has great implications — positive ones — for procurement and supply chain is indisputable. In 2015, Spend Matters and Vroozi co-published a research paper titled Declaration of the New Purchasing: A Buying Manifesto, in which one of the “articles” focused on IoT.

“Article 12: The internet of things (IoT) will surround us, creating unprecedented levels of visibility into the consumption patterns of what we buy and how we use it, creating feedback loops and changing how we manage demand.

All purchases (including money spent on people and labor) will be tracked and monitored continuously. From apps on devices that track movement and access to tagging equipment and supplies, we will create unprecedented sets of data from which to analyze and make better decisions. The feedback loops between different tagged assets, items, people and customer activities will further create new levels of visibility through metadata analysis, changing the very basis of how we assign our time and effort to different activities in procurement.”

Procurement is hardly the only sector excited about IoT. According to a survey of nearly 1,000 enterprise IT buyers worldwide conducted late last year by research firm 451Research, 71% of organizations are already gathering IoT data. Over the course of this year, 90% will be increasing IoT spending. There are still plenty of concerns, such as uncertain ROI, but the top factor impeding IoT deployments is security.

But Are Companies Prepared for New Cyber Risks?

 A big problem with IoT devices so far is how easily they can be compromised. Samsung Smart TVs, thermostats, baby monitors, even toasters — all of these are smart devices that have been successfully hacked. As high-tech as they are, many lack basic cybersecurity protections like encryption or a strong password.

Now unless you’re having important meetings in the company kitchen, the average procurement organization is unlikely to be affected by malfunctioning toasters. But perhaps it is telling that Consumer Reports announced this month that it will begin considering cybersecurity and privacy safeguards in product reviews, as it works to develop methodologies for determining how easily a product could be hacked. With more IoT devices providing more real-time information on all aspects of a supply chain, from inventory to transportation, there is also more exposure to risk.

Source: Ponemon Institute’s 2017 Study on Mobile and IoT Application Security

Ponemon Institute recently released its 2017 Study on Mobile and Internet of Things Application Security, which looks at how prepared companies are against risks posed by mobile and IoT vulnerabilities. The study surveyed 593 IT security practitioners from organizations that are users of mobile apps and IoT devices, developers of them, or both. Here are some of the major findings:

  • Organizations are concerned about IoT security, with 55% of respondents saying that there is a “lack of quality assurance and testing procedures” for IoT apps.
  • Securing IoT apps is done primarily via penetration testing.
  • The race to release new products is the biggest cause of vulnerable code. Other causes include lack of internal policies on security requirements and coding errors.
  • Half of the respondents believe their organizations have had a material data breach or a cyberattack due to an IoT app, but only 4% can say so with certainty (see Figure 11 above).
  • Only 30% of respondents think their organizations allocate enough budget for cybersecurity.
  • Organizations would consider increasing the budget if a severe hacking incident occurred (54%) or new regulations were put into place (46%).
  • Less than a third of respondents say that their companies educate developers on safe coding practices for IoT apps.
  • Roughly half of respondents say that IoT app testing does not occur, though only a quarter said so for mobile apps.

It is estimated that by 2020, 24 billion IoT devices will be installed, more than double of the number in circulation now, and the majority of those devices will be used by businesses and governments. According to Tata Consultancy Services, industrial manufacturing and banking and financial services are seeing the largest returns from IoT investments.

But increased cyber risk in those sectors could also do some incredible damage.

Share on Procurious

First Voice

  1. John:

    I’d rather fund a good amount of money for enhancing security systems than make a lot of apps that might cause encryption to my users.

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.