Internet of Things (IoT) devices will bring a bevy of benefits to businesses, including productivity, energy savings, efficiency, safety and so much more. So it’s no wonder the smart office market is forecast to nearly double by 2023, according to a study by Mordor Intelligence.
But smart devices also present a new and growing security threat. Any smart device connected to the company Wi-Fi, officially sanctioned or otherwise, can present a risk to the network. Or, in other words, your company’s next major security risk may come from a device as seemingly innocent as the coffee machine.
In fact, the security risk from IoT devices has become one of the hottest and most vexing topics of discussion within the cybersecurity community.
Why We Need New Categories for IoT Devices in the Enterprise
Technology buyers are presented with smart devices in predictable categories, such as “device management,” “security,” “safety automation,” “heating, ventilation and air conditioning automation,” “smart ergonomics” — the list goes on and on.
From a security standpoint, however, we need new ways of thinking about workplace IoT devices — by which I mean new categories. Let’s take a closer look at four categories for smart office devices from a security point of view.
1. USB-Powered Gadgets
The bring-your-own-device (BYOD) challenge persists. In the past, we understood and could predict what endpoints employees would bring into the enterprise network. But when those devices are IoT smart office gadgets, it’s almost impossible to guess what will show up, how it will work and what the implications are for security.
The most innocuous-seeming general category of devices might be anything that gets power from a USB port. These devices include cup warmers, reading lights, fans, desktop humidifiers, Wi-Fi extenders — you name it. They don’t seem to make an office particularly “smart.”
What’s troubling about this category is that while these devices ostensibly use USB ports for power only, they are in fact plugging into a data port. Any of these devices could contain storage, processing and a malicious payload. Most are bought cheaply and manufactured overseas by no-name companies.
To an IT security professional, the practice of blindly purchasing connected devices is functionally equivalent to finding a USB thumb drive in the parking lot and plugging it in to a system inside the firewall.
2. Spy Tech
Anything with a camera or microphone could expose company secrets. We’re entering an age of smart speakers and displays, which were initially aimed at consumers but are now headed for the enterprise. These devices work normally by capturing audio with microphones and storing it in a remote server.
Of somewhat less concern are the cameras, which could be used to spy on a room in the same way that some attackers have been able to hijack the cameras in laptops. It’s very early days for these devices, and the security implications won’t be hammered out for years. In the meantime, the harvesting and off-site storage of audio, video and photographs continues.
3. DDoS Robots
Office IoT devices can be hijacked and dragooned into service as part of a distributed denial-of-service (DDoS) attack.
Last year, the IoT_Reaper botnet shut down major internet providers by taking over millions of IoT devices. It focused mostly on exploiting known security flaws and targeted mainly security cameras, DVRs, and other camera-based devices and major-brand routers.
4. Orphan Devices
The introduction of smart office devices may involve a handoff in responsibility from facilities to IT. Any office equipment that plugs into the building’s electrical outlets but not the network probably falls under the purview of facilities. Anything that plugs into the network — or plugs into a device that plugs into a network — is likely IT’s problem.
A whole range of orphan-making is taking place with a transition to a smart workplaces. Devices normally managed by facilities are increasingly connecting to the network as part of a larger push for the smart office. Yet, in many cases, these devices are still managed by facilities — or they’re left in a kind of orphan state where nobody’s really paying attention to what the devices are up to.
Let’s say conventional thermostats are replaced with “smart” thermostats, for example. Is IT involved in the purchase? Are these devices getting updates from the manufacturer? Are they getting “updates” from individuals or organizations that are not the manufacturer? Chances are, these devices are falling through the cracks with nobody managing the security end of things.
The purpose of these categories is to clarify responsibility and the actions that need to be taken to protect against the specific risks associated with each type of device.
How to Manage the Smart Office Smartly
Industry groups are working to figure out the larger issues around IoT security inside enterprises, but you can’t afford to wait. Here’s what you and your organization can do right now to protect yourselves from new threats posed by smart devices:
- Develop an IoT strategy. This should include, among other things, a ban on devices that cannot or will not get security patches and updates from the manufacturer. It should also include a policy of disabling all unused features for smart office equipment.
- Maintain an inventory of every smart device. Make sure the database includes details about the manufacturer, how updates are handled and security specifics. A centralized inventory helps facilitate communication between departments and among new hires.
- Train employees about the special risks associated with IoT devices. Everyone needs to be as leery about USB-powered cup warmers as they are about thumb drives.
- Actively share information across departments and vendors about security-related events that take place with smart office devices.
- Invest in a unified endpoint management (UEM) system. Make sure you select a solution that covers IoT devices just like it does other computing categories.
- Use strong password management tools. Institute the same stringent password requirements for IoT devices as you would networked computers. Above all, change and manage the default passwords for IoT devices that have them. Attackers know the default passwords and will search for them.
The smart office is ushering in a better work environment, but it’s important to address security gaps sooner rather than later. After all, expanding your workplace network without managing security just isn’t very smart.
Listen to the podcast series: Five Indisputable Facts about IoT Security
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...