Internet of Things (IoT) devices will bring a bevy of benefits to businesses, including productivity, energy savings, efficiency, safety and so much more. So it’s no wonder the smart office market is forecast to nearly double by 2023, according to a study by Mordor Intelligence.

But smart devices also present a new and growing security threat. Any smart device connected to the company Wi-Fi, officially sanctioned or otherwise, can present a risk to the network. Or, in other words, your company’s next major security risk may come from a device as seemingly innocent as the coffee machine.

In fact, the security risk from IoT devices has become one of the hottest and most vexing topics of discussion within the cybersecurity community.

Why We Need New Categories for IoT Devices in the Enterprise

Technology buyers are presented with smart devices in predictable categories, such as “device management,” “security,” “safety automation,” “heating, ventilation and air conditioning automation,” “smart ergonomics” — the list goes on and on.

From a security standpoint, however, we need new ways of thinking about workplace IoT devices — by which I mean new categories. Let’s take a closer look at four categories for smart office devices from a security point of view.

1. USB-Powered Gadgets

The bring-your-own-device (BYOD) challenge persists. In the past, we understood and could predict what endpoints employees would bring into the enterprise network. But when those devices are IoT smart office gadgets, it’s almost impossible to guess what will show up, how it will work and what the implications are for security.

The most innocuous-seeming general category of devices might be anything that gets power from a USB port. These devices include cup warmers, reading lights, fans, desktop humidifiers, Wi-Fi extenders — you name it. They don’t seem to make an office particularly “smart.”

What’s troubling about this category is that while these devices ostensibly use USB ports for power only, they are in fact plugging into a data port. Any of these devices could contain storage, processing and a malicious payload. Most are bought cheaply and manufactured overseas by no-name companies.

To an IT security professional, the practice of blindly purchasing connected devices is functionally equivalent to finding a USB thumb drive in the parking lot and plugging it in to a system inside the firewall.

2. Spy Tech

Anything with a camera or microphone could expose company secrets. We’re entering an age of smart speakers and displays, which were initially aimed at consumers but are now headed for the enterprise. These devices work normally by capturing audio with microphones and storing it in a remote server.

Of somewhat less concern are the cameras, which could be used to spy on a room in the same way that some attackers have been able to hijack the cameras in laptops. It’s very early days for these devices, and the security implications won’t be hammered out for years. In the meantime, the harvesting and off-site storage of audio, video and photographs continues.

3. DDoS Robots

Office IoT devices can be hijacked and dragooned into service as part of a distributed denial-of-service (DDoS) attack.

Last year, the IoT_Reaper botnet shut down major internet providers by taking over millions of IoT devices. It focused mostly on exploiting known security flaws and targeted mainly security cameras, DVRs, and other camera-based devices and major-brand routers.

4. Orphan Devices

The introduction of smart office devices may involve a handoff in responsibility from facilities to IT. Any office equipment that plugs into the building’s electrical outlets but not the network probably falls under the purview of facilities. Anything that plugs into the network — or plugs into a device that plugs into a network — is likely IT’s problem.

A whole range of orphan-making is taking place with a transition to a smart workplaces. Devices normally managed by facilities are increasingly connecting to the network as part of a larger push for the smart office. Yet, in many cases, these devices are still managed by facilities — or they’re left in a kind of orphan state where nobody’s really paying attention to what the devices are up to.

Let’s say conventional thermostats are replaced with “smart” thermostats, for example. Is IT involved in the purchase? Are these devices getting updates from the manufacturer? Are they getting “updates” from individuals or organizations that are not the manufacturer? Chances are, these devices are falling through the cracks with nobody managing the security end of things.

The purpose of these categories is to clarify responsibility and the actions that need to be taken to protect against the specific risks associated with each type of device.

How to Manage the Smart Office Smartly

Industry groups are working to figure out the larger issues around IoT security inside enterprises, but you can’t afford to wait. Here’s what you and your organization can do right now to protect yourselves from new threats posed by smart devices:

  • Develop an IoT strategy. This should include, among other things, a ban on devices that cannot or will not get security patches and updates from the manufacturer. It should also include a policy of disabling all unused features for smart office equipment.
  • Maintain an inventory of every smart device. Make sure the database includes details about the manufacturer, how updates are handled and security specifics. A centralized inventory helps facilitate communication between departments and among new hires.
  • Train employees about the special risks associated with IoT devices. Everyone needs to be as leery about USB-powered cup warmers as they are about thumb drives.
  • Actively share information across departments and vendors about security-related events that take place with smart office devices.
  • Invest in a unified endpoint management (UEM) system. Make sure you select a solution that covers IoT devices just like it does other computing categories.
  • Use strong password management tools. Institute the same stringent password requirements for IoT devices as you would networked computers. Above all, change and manage the default passwords for IoT devices that have them. Attackers know the default passwords and will search for them.

The smart office is ushering in a better work environment, but it’s important to address security gaps sooner rather than later. After all, expanding your workplace network without managing security just isn’t very smart.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…