Managing Internet of Things (IoT) Devices With Third-Party Risk Management

Many industries use Internet of Things (IoT) devices to collect and manage data, including industrial organizations that collect and manage data from factory sensors, city planners that use IoT data to improve traffic flow, and transportation companies that use IoT data to manage fleets. It’s one of the best ways for organizations to modernize and take advantage of big data. However, few organizations have the resources or capability to design and run IoT systems, so they often use third parties to provide or manage the devices. Since IoT devices are so popular, third-party vendors are jumping into the market, but sometimes with questionable products.

It’s crucial that IoT devices are secure before they’re used by your organization. So, what exactly is IoT and why does it need third-party risk management (TPRM)?

An Overview of Internet of Things Third-Party Vendors

The IoT consists of physical objects with sensors connected to computers via wireless or wired networks or the internet. It’s primarily used to collect data, so computers or smartphones aren’t considered IoT devices. Wearable devices, like smartwatches and fitness bands, smart speakers, self-driving vehicles, and payment devices that plug into a smartphone are IoT devices.

The IoT is making the world more connected and responsive as digital and physical worlds merge. Powerful wireless networks and computer chips have made it possible to turn anything, from a pill to a cargo ship, into a part of the IoT. Typically, devices with sensors are connected to an IoT platform like a hub or gateway.  The data collected by the devices is either analyzed at the edge (edge computing) or sent to the cloud, where it's later analyzed. End users can also use IoT platforms to access real-time data insights and make critical business decisions.

Three risks of IoT devices:

1. Cybersecurity – Because IoT devices don't always have the best security, they can be easy to attack. A data breach with one of your IoT vendors could put your organization's and customers' data at risk.
2. Poor visibility – There could be hundreds or thousands of IoT devices spread across your organization. If the third-party risk management team isn't aware of these devices, it leaves risk unmitigated.
3. Operations risk – If a critical IoT vendor or device goes down at your organization, you may be unable to offer a product or service to your customers. This downtime can cause severe damage to your reputation.

Organizations that rely on IoT devices must pay close attention to who they choose to work with. That’s why using third-party risk management for the IoT is crucial.

How to Mitigate Internet of Things Risks With Third-Party Risk Management

Your IoT devices are like any other third-party vendor. They must demonstrate the proper measures, assessments, and checks to protect data and privacy, regardless of whether they provide hardware, connectivity, or additional services. Because of the risks of using IoT devices, it’s crucial to use third-party risk management to identify and mitigate the risks of IoT vendors.

Here are 7 best practices to mitigate the risk of IoT vendors and devices:

1. Know your IoT vendors – To start, inventory all your organization's IoT vendors, including hardware, software, data warehousing, and analysis. The vendors should be ranked as critical or non-critical. Vendors that are critical to the operations of your company will receive the highest level of scrutiny.
   
   Pro Tip: Your accounts payable department should be able to tell you who your organization has a contract with, so they’re a good starting point to get an inventory of IoT vendors. Your cybersecurity or information technology department can also be a helpful resource.
2. Perform due diligence – Your organization should conduct a comprehensive due diligence review of your potential IoT vendors. You'll need to carefully examine and potentially test their cybersecurity practices and controls. Review their governance structure, IoT-device performance, industry history, breach policies, financial health, and insurance. Don't forget to check for fourth and nth parties so you can identify how they are utilized down the supply chain.
3. Determine an IoT subject matter expert – Depending on the scope of your organization's IoT usage, at least one member of your third-party risk management team should become an expert in the IoT. The IoT TPRM expert should work closely with the legal department and have access to IT subject matter experts (SMEs) as needed.
4. Include in your contract – Ensure that your contract contains performance expectations, the right to audit, corrective actions for non-performance, and clearly defined data breach notifications and responsibilities.
5. Review your IoT vendors’ business continuity planning – Your IoT vendors should have a plan of action in place if a device goes down or experiences a cyberattack. You should review these plans and work with the vendor if there are any concerns. 
   
   Pro Tip: Your vendor’s business continuity plan should include breach/disruption notification procedures, testing procedures and results, remove access availability, and personnel loss and planning.
6. Continuously monitor risks – Set up news alerts for your IoT vendors to inform your organization of any data breaches or other business-related issues. Tell your frontline users they should notify the third-party risk management team if they see any problems with IoT vendors.
7. Perform audit, corrective action, and termination processes – Ensure that your most critical IoT vendors are audited regularly. Establish a policy for corrective action in the event of non-performance or other issues. Make sure there’s a termination procedure as it may become necessary.

The IoT is driving growth because it's improving efficiency and business outcomes. Organizations must implement third-party risk management strategies that address their entire IoT ecosystem to ensure that IoT security risks don't outweigh IoT benefits.