Internet of Things (IoT) devices will bring a bevy of benefits to businesses, including productivity, energy savings, efficiency, safety and so much more. So it’s no wonder the smart office market is forecast to nearly double by 2023, according to a study by Mordor Intelligence.

But smart devices also present a new and growing security threat. Any smart device connected to the company Wi-Fi, officially sanctioned or otherwise, can present a risk to the network. Or, in other words, your company’s next major security risk may come from a device as seemingly innocent as the coffee machine.

In fact, the security risk from IoT devices has become one of the hottest and most vexing topics of discussion within the cybersecurity community.

Why We Need New Categories for IoT Devices in the Enterprise

Technology buyers are presented with smart devices in predictable categories, such as “device management,” “security,” “safety automation,” “heating, ventilation and air conditioning automation,” “smart ergonomics” — the list goes on and on.

From a security standpoint, however, we need new ways of thinking about workplace IoT devices — by which I mean new categories. Let’s take a closer look at four categories for smart office devices from a security point of view.

1. USB-Powered Gadgets

The bring-your-own-device (BYOD) challenge persists. In the past, we understood and could predict what endpoints employees would bring into the enterprise network. But when those devices are IoT smart office gadgets, it’s almost impossible to guess what will show up, how it will work and what the implications are for security.

The most innocuous-seeming general category of devices might be anything that gets power from a USB port. These devices include cup warmers, reading lights, fans, desktop humidifiers, Wi-Fi extenders — you name it. They don’t seem to make an office particularly “smart.”

What’s troubling about this category is that while these devices ostensibly use USB ports for power only, they are in fact plugging into a data port. Any of these devices could contain storage, processing and a malicious payload. Most are bought cheaply and manufactured overseas by no-name companies.

To an IT security professional, the practice of blindly purchasing connected devices is functionally equivalent to finding a USB thumb drive in the parking lot and plugging it in to a system inside the firewall.

2. Spy Tech

Anything with a camera or microphone could expose company secrets. We’re entering an age of smart speakers and displays, which were initially aimed at consumers but are now headed for the enterprise. These devices work normally by capturing audio with microphones and storing it in a remote server.

Of somewhat less concern are the cameras, which could be used to spy on a room in the same way that some attackers have been able to hijack the cameras in laptops. It’s very early days for these devices, and the security implications won’t be hammered out for years. In the meantime, the harvesting and off-site storage of audio, video and photographs continues.

3. DDoS Robots

Office IoT devices can be hijacked and dragooned into service as part of a distributed denial-of-service (DDoS) attack.

Last year, the IoT_Reaper botnet shut down major internet providers by taking over millions of IoT devices. It focused mostly on exploiting known security flaws and targeted mainly security cameras, DVRs, and other camera-based devices and major-brand routers.

4. Orphan Devices

The introduction of smart office devices may involve a handoff in responsibility from facilities to IT. Any office equipment that plugs into the building’s electrical outlets but not the network probably falls under the purview of facilities. Anything that plugs into the network — or plugs into a device that plugs into a network — is likely IT’s problem.

A whole range of orphan-making is taking place with a transition to a smart workplaces. Devices normally managed by facilities are increasingly connecting to the network as part of a larger push for the smart office. Yet, in many cases, these devices are still managed by facilities — or they’re left in a kind of orphan state where nobody’s really paying attention to what the devices are up to.

Let’s say conventional thermostats are replaced with “smart” thermostats, for example. Is IT involved in the purchase? Are these devices getting updates from the manufacturer? Are they getting “updates” from individuals or organizations that are not the manufacturer? Chances are, these devices are falling through the cracks with nobody managing the security end of things.

The purpose of these categories is to clarify responsibility and the actions that need to be taken to protect against the specific risks associated with each type of device.

How to Manage the Smart Office Smartly

Industry groups are working to figure out the larger issues around IoT security inside enterprises, but you can’t afford to wait. Here’s what you and your organization can do right now to protect yourselves from new threats posed by smart devices:

  • Develop an IoT strategy. This should include, among other things, a ban on devices that cannot or will not get security patches and updates from the manufacturer. It should also include a policy of disabling all unused features for smart office equipment.
  • Maintain an inventory of every smart device. Make sure the database includes details about the manufacturer, how updates are handled and security specifics. A centralized inventory helps facilitate communication between departments and among new hires.
  • Train employees about the special risks associated with IoT devices. Everyone needs to be as leery about USB-powered cup warmers as they are about thumb drives.
  • Actively share information across departments and vendors about security-related events that take place with smart office devices.
  • Invest in a unified endpoint management (UEM) system. Make sure you select a solution that covers IoT devices just like it does other computing categories.
  • Use strong password management tools. Institute the same stringent password requirements for IoT devices as you would networked computers. Above all, change and manage the default passwords for IoT devices that have them. Attackers know the default passwords and will search for them.

The smart office is ushering in a better work environment, but it’s important to address security gaps sooner rather than later. After all, expanding your workplace network without managing security just isn’t very smart.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …