September 6, 2018 By Mike Elgan 4 min read

Internet of Things (IoT) devices will bring a bevy of benefits to businesses, including productivity, energy savings, efficiency, safety and so much more. So it’s no wonder the smart office market is forecast to nearly double by 2023, according to a study by Mordor Intelligence.

But smart devices also present a new and growing security threat. Any smart device connected to the company Wi-Fi, officially sanctioned or otherwise, can present a risk to the network. Or, in other words, your company’s next major security risk may come from a device as seemingly innocent as the coffee machine.

In fact, the security risk from IoT devices has become one of the hottest and most vexing topics of discussion within the cybersecurity community.

Why We Need New Categories for IoT Devices in the Enterprise

Technology buyers are presented with smart devices in predictable categories, such as “device management,” “security,” “safety automation,” “heating, ventilation and air conditioning automation,” “smart ergonomics” — the list goes on and on.

From a security standpoint, however, we need new ways of thinking about workplace IoT devices — by which I mean new categories. Let’s take a closer look at four categories for smart office devices from a security point of view.

1. USB-Powered Gadgets

The bring-your-own-device (BYOD) challenge persists. In the past, we understood and could predict what endpoints employees would bring into the enterprise network. But when those devices are IoT smart office gadgets, it’s almost impossible to guess what will show up, how it will work and what the implications are for security.

The most innocuous-seeming general category of devices might be anything that gets power from a USB port. These devices include cup warmers, reading lights, fans, desktop humidifiers, Wi-Fi extenders — you name it. They don’t seem to make an office particularly “smart.”

What’s troubling about this category is that while these devices ostensibly use USB ports for power only, they are in fact plugging into a data port. Any of these devices could contain storage, processing and a malicious payload. Most are bought cheaply and manufactured overseas by no-name companies.

To an IT security professional, the practice of blindly purchasing connected devices is functionally equivalent to finding a USB thumb drive in the parking lot and plugging it in to a system inside the firewall.

2. Spy Tech

Anything with a camera or microphone could expose company secrets. We’re entering an age of smart speakers and displays, which were initially aimed at consumers but are now headed for the enterprise. These devices work normally by capturing audio with microphones and storing it in a remote server.

Of somewhat less concern are the cameras, which could be used to spy on a room in the same way that some attackers have been able to hijack the cameras in laptops. It’s very early days for these devices, and the security implications won’t be hammered out for years. In the meantime, the harvesting and off-site storage of audio, video and photographs continues.

3. DDoS Robots

Office IoT devices can be hijacked and dragooned into service as part of a distributed denial-of-service (DDoS) attack.

Last year, the IoT_Reaper botnet shut down major internet providers by taking over millions of IoT devices. It focused mostly on exploiting known security flaws and targeted mainly security cameras, DVRs, and other camera-based devices and major-brand routers.

4. Orphan Devices

The introduction of smart office devices may involve a handoff in responsibility from facilities to IT. Any office equipment that plugs into the building’s electrical outlets but not the network probably falls under the purview of facilities. Anything that plugs into the network — or plugs into a device that plugs into a network — is likely IT’s problem.

A whole range of orphan-making is taking place with a transition to a smart workplaces. Devices normally managed by facilities are increasingly connecting to the network as part of a larger push for the smart office. Yet, in many cases, these devices are still managed by facilities — or they’re left in a kind of orphan state where nobody’s really paying attention to what the devices are up to.

Let’s say conventional thermostats are replaced with “smart” thermostats, for example. Is IT involved in the purchase? Are these devices getting updates from the manufacturer? Are they getting “updates” from individuals or organizations that are not the manufacturer? Chances are, these devices are falling through the cracks with nobody managing the security end of things.

The purpose of these categories is to clarify responsibility and the actions that need to be taken to protect against the specific risks associated with each type of device.

How to Manage the Smart Office Smartly

Industry groups are working to figure out the larger issues around IoT security inside enterprises, but you can’t afford to wait. Here’s what you and your organization can do right now to protect yourselves from new threats posed by smart devices:

  • Develop an IoT strategy. This should include, among other things, a ban on devices that cannot or will not get security patches and updates from the manufacturer. It should also include a policy of disabling all unused features for smart office equipment.
  • Maintain an inventory of every smart device. Make sure the database includes details about the manufacturer, how updates are handled and security specifics. A centralized inventory helps facilitate communication between departments and among new hires.
  • Train employees about the special risks associated with IoT devices. Everyone needs to be as leery about USB-powered cup warmers as they are about thumb drives.
  • Actively share information across departments and vendors about security-related events that take place with smart office devices.
  • Invest in a unified endpoint management (UEM) system. Make sure you select a solution that covers IoT devices just like it does other computing categories.
  • Use strong password management tools. Institute the same stringent password requirements for IoT devices as you would networked computers. Above all, change and manage the default passwords for IoT devices that have them. Attackers know the default passwords and will search for them.

The smart office is ushering in a better work environment, but it’s important to address security gaps sooner rather than later. After all, expanding your workplace network without managing security just isn’t very smart.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today