Smart assistants such as Google Home and Amazon Echo were among the most popular gifts this past holiday season, and they’re on their way to becoming as ubiquitous as the smartphone for consumers. But what happens when these devices, with their inherent security and privacy issues, are introduced in the workplace?
Amazon already has plans for this with the imminent release of Alexa for Business, and it’s only a matter of time before Google joins the party. There’s no doubt that these assistants can be incredibly helpful for companies in any industry.
While their use in the workplace is likely inevitable, the security risks for the enterprise are unmistakable. With the devices always waiting to be activated, how much of what we say will be heard and recorded? If the devices aren’t properly secured, how will cybercriminals exploit the technology? Does the risk outweigh the value?
Before delving into the security concerns, we must be careful to avoid vilifying the vendors for whatever security issues are inherent in these devices. Like any Internet of Things (IoT) device, the onus is on consumers and businesses to perform as much due diligence as possible before introducing them into our networks. That said, manufacturers still need to put more emphasis on security in their products.
Security Basics Still Apply to Smart Assistants
I had a chance to catch up with Michael Fauscette, chief research officer for G2 Crowd, who said that, while security certainly needs to be addressed, the risks associated with smart assistants may not be as high as other devices already present on our networks. “Don’t get me wrong — there are things to be concerned about,” he said. “But they don’t record you all the time. Although it does send information back to the server, that data is encrypted and stored in the cloud.” Moreover, users do have the ability to access that data and delete it if need be.
Fauscette, who has extensive experience in adopting new technologies within the enterprise in executive roles, is already working with several large clients that are deploying smart assistants in their workplaces and said he expects the trend to continue as our reliance on the technology surges. He also predicted that the workplace smart assistants of the future will need to be enterprise-grade devices, modified and hardened compared to the ones we see in the home. That hardening may take some time. Until then, we must treat this technology like anything else we put on our network.
According to Fauscette, if you already have good security on your network, you probably have sufficient protection to prevent cybercriminals from compromising devices directly. He pointed to our laptops and personal devices as even greater risks. In other words, if your company’s security defenses are lacking, introducing smart assistants won’t necessarily change things. Again, it’s not any different from how we should treat IoT devices.
“Although [the smart assistant] may not be difficult to hack into, it’s hard to insert malware on it if the hacker is not on the network,” Fauscette said. “But once they’re inside the firewall anyway, the smart assistant isn’t going to be your biggest concern. Basic network security and perimeter protection is the focus. It’s all about having a plan.”
Putting Things In Perspective
When you break down the risks associated with smart assistants, there are much bigger fish to fry considering some of the IoT scenarios we’ve witnessed.
During the Black Hat conference last year, I spoke to Brian Knopf, senior director of security research and IoT architect for Neustar, about the importance of properly securing IoT. He offered the example of an oil and gas company that deploys a critical sulfur sensor in the field.
“If someone messes with that sensor data, they can manipulate the market,” Knopf said. “These are the IoT scenarios that need to be looked at.” He also noted that for some enterprises, those deployments can amount to billion-dollar decisions.
Sure, smart assistants can be problematic, but clearly, they’re not at the same level of risk as IoT devices that are already widely deployed in many industries — at least not yet.
The Virtual Crystal Ball
It will be exciting to see what type of role biometrics will play in securing smart assistant devices. Fauscette said there is a lot of promise in this technology when it comes to smart assistants. “As they begin to proliferate, someone will mess up or get hacked, and then we’ll see authentication creep into the discussion,” he said. “It’s a category of software that we’re so interested in and we expect a lot of change.”
We’re only in the very early stages of smart assistants in the workplace, so it’s probably too early to predict what level of impact they’ll have on enterprise security. No matter what the future has in store, fundamental security practices will go a long way. All the basics — network segmentation, understandable corporate policies and security awareness training — apply today, and that won’t change when there’s a smart device everywhere you turn.
Listen to the podcast series: Five Indisputable Facts about IoT Security