By 2020, there will be an estimated 30.1 billion Internet of Things (IoT) devices in-use worldwide.
IoT devices range from smart thermostats and lights, to locks and digital video recorders (DVRs). They may not look like computers, but once connected to your network, they transmit and receive data like one, presenting several business cyber security risks.
As well as transforming a myriad homes and various industries, the internet of things (IoT) has been reshaping enterprises. And one of the most apparent manifestations of how the IoT has prompted changes in businesses and organizations is the presence and use of employee owned IoT devices in the workplace.
Gone are the days when, in accordance with the practice known as BYOD (bring your own device), employees would bring only their laptops, tablets, or smartphones to work and connect them to the office network primarily to aid them in their tasks. Now, employees are apt to also bring their personal IoT devices to be able to continue using them even while at work. These include wearables like smartwatches and fitness trackers, entertainment devices such as e-readers and game consoles, and even portable appliances such as smart coffee makers and printers.
But the influx of such IoT devices in the workplace poses a new set of challenges for enterprises, particularly their security teams. Already, security teams are tasked with ensuring the protection of employee-owned laptops, tablets, and smartphones — the main, if not the only, devices in the BYOD norm of old — along with actual company assets. Under the new normal, they also must contend with risks and threats that arise from the increasing prevalence of miscellaneous consumer-grade IoT devices within enterprise premises. This is especially true considering that instances of compromise involving IoT devices have emphasized how these technological conveniences have attendant security concerns that not all companies may be immediately prepared for.
Organizations’ established BYOD policies and procedures play a big role in preventing unauthorized access and otherwise defending business assets. But as more and more employees opt to bring their IoT devices to work, these will have to adapt to the changes in the IoT security landscape. Short of revoking BYOD privileges, enterprises should therefore update their BYOD programs.
Taking advantage of device vulnerabilities has long been a popular tactic among threat actors, and it is no different with IoT devices. In fact, some of the most damaging IoT device-related incidents that made headlines over the years resulted from the exploitation of vulnerabilities. And in many instances, there had been available fixes for the flaws in question. Indeed, negligence in applying patches to affected devices is an issue that enterprises need to deal with, especially since vulnerabilities can allow attackers to make further movement beyond the devices and into company networks and assets.
An onboarding procedure should be in place to enable employees to register their devices with the IT and security teams before the devices can connect to the enterprise network. In the enrollment process, all relevant device and system information should be logged, and proper device security settings should be configured, among other key steps. A continuous awareness program is also recommended to remind employees to regularly install patches and updates from legitimate vendors and developers for their respective devices.
IoT devices in BYOD environments — be they smartwatches, smart health trackers, smart speakers, or smart yoga mats — are brought in by employees to make uninterrupted use of their special features. But hackers can take advantage of these functionalities to get through the enterprise network, especially given the often-minimal security measures in place for the devices. Access to the company network can allow attackers to carry out their malicious activities: scanning for other vulnerable devices, sniffing for data, stealing stored information, accessing servers and systems, and turning devices into parts of botnets, among others.
Employees should be encouraged to familiarize themselves with the specific features of their IoT devices, especially for possible hidden features or components. Further, aside from requiring employees to have their personal devices duly enrolled, the company should set up a network, separate from the one used for actual operations, to which these devices should be connected. It should also adopt a multilayered security solution that can detect and block malicious activities and attacks from networks to endpoints.
A simple online search can show a multitude of exposed devices connected to the internet, such as smartwatches and smart speakers, along with associated systems that may likewise be exposed. This is troubling in that attackers have been known to choose an exposed device, note the device’s unique system information, and assess the vulnerabilities of the device and the system it is connected to facilitate targeted attacks. With just a cursory online search to go on, malicious actors can use a variety of techniques to access and cause damage to the target company’s network and assets.
Enterprises should consider using website tools to aid in scanning their networks for exposed devices, open ports, and other threat vectors — and should execute the necessary actions against any discovered lapses in security. They should also implement awareness programs and learning courses to promote a security-first mindset among employees, including preventive measures against device exposure.
As likely as it is for an ordinary watch to be lost or stolen, it is just as probable for a smartwatch to meet the same fate. But in the case of the latter, there is the risk of information leakage or data exfiltration, which may involve sensitive company information and data stored in email and memo apps, for example — especially if the smartwatch was being used in a BYOD environment. Lost or stolen devices are another important BYOD security consideration since the information or data they contain can be used by threat actors to carry out sabotage or espionage, among other malicious motivations. Device loss and theft contribute to the occurrence of large data breaches (including unintentional disclosures), making them a major concern for enterprises with BYOD programs.
IT and security teams should recommend device security settings to enable and review their network access and storage settings at regular intervals. This allows them to go over and customize their security for stricter implementation of information access according to business requirements — especially in consideration of the need for compliance with legal mandates and international regulations pertaining to data privacy and protection. For their part, employees should be urged to inform the IT and security teams of the devices they bring to the workplace, and to use available multifactor authentication and data encryption features on their devices. They should also notify the IT and security teams when any of their devices is lost or stolen. Aside from reinforcing the security team’s ability to monitor, detect, and block threats and attacks before they hit the enterprise, this helps in quickly determining the type of threat attempting intrusion, controlling leakage and loss, and pinpointing the device being used for attacks.
Practicing Security Awareness
A culture of security awareness is of importance in environments that include employee-owned devices as well as company assets. It acquires even greater importance considering the growing trend toward the use of consumer-grade IoT devices in the workplace. BYOD programs, therefore, should be re-evaluated and re-established in these environments. And this is a shared responsibility that is incumbent on enterprises and employees alike to undertake and fulfill: security integration from the conceptualization to the implementation of BYOD policies and procedures in line with the continuing expansion of the IoT.
Litcom can assist your organization to develop BYOD strategies to help maximize the productivity and financial gains while maintaining security. By providing a comprehensive and thorough review of your company’s technology systems and environment, we will evaluate your organization’s existing BYOD security architecture as well as the desired short-term and long-term mobile goals and make recommendations based on industry and vendor best practices. For more information, please contact us at: firstname.lastname@example.org.