Smart assistants such as Google Home and Amazon Echo were among the most popular gifts this past holiday season, and they’re on their way to becoming as ubiquitous as the smartphone for consumers. But what happens when these devices, with their inherent security and privacy issues, are introduced in the workplace?

Amazon already has plans for this with the imminent release of Alexa for Business, and it’s only a matter of time before Google joins the party. There’s no doubt that these assistants can be incredibly helpful for companies in any industry.

While their use in the workplace is likely inevitable, the security risks for the enterprise are unmistakable. With the devices always waiting to be activated, how much of what we say will be heard and recorded? If the devices aren’t properly secured, how will cybercriminals exploit the technology? Does the risk outweigh the value?

Before delving into the security concerns, we must be careful to avoid vilifying the vendors for whatever security issues are inherent in these devices. Like any Internet of Things (IoT) device, the onus is on consumers and businesses to perform as much due diligence as possible before introducing them into our networks. That said, manufacturers still need to put more emphasis on security in their products.

Security Basics Still Apply to Smart Assistants

I had a chance to catch up with Michael Fauscette, chief research officer for G2 Crowd, who said that, while security certainly needs to be addressed, the risks associated with smart assistants may not be as high as other devices already present on our networks. “Don’t get me wrong — there are things to be concerned about,” he said. “But they don’t record you all the time. Although it does send information back to the server, that data is encrypted and stored in the cloud.” Moreover, users do have the ability to access that data and delete it if need be.

Fauscette, who has extensive experience in adopting new technologies within the enterprise in executive roles, is already working with several large clients that are deploying smart assistants in their workplaces and said he expects the trend to continue as our reliance on the technology surges. He also predicted that the workplace smart assistants of the future will need to be enterprise-grade devices, modified and hardened compared to the ones we see in the home. That hardening may take some time. Until then, we must treat this technology like anything else we put on our network.

According to Fauscette, if you already have good security on your network, you probably have sufficient protection to prevent cybercriminals from compromising devices directly. He pointed to our laptops and personal devices as even greater risks. In other words, if your company’s security defenses are lacking, introducing smart assistants won’t necessarily change things. Again, it’s not any different from how we should treat IoT devices.

“Although [the smart assistant] may not be difficult to hack into, it’s hard to insert malware on it if the hacker is not on the network,” Fauscette said. “But once they’re inside the firewall anyway, the smart assistant isn’t going to be your biggest concern. Basic network security and perimeter protection is the focus. It’s all about having a plan.”

Putting Things In Perspective

When you break down the risks associated with smart assistants, there are much bigger fish to fry considering some of the IoT scenarios we’ve witnessed.

During the Black Hat conference last year, I spoke to Brian Knopf, senior director of security research and IoT architect for Neustar, about the importance of properly securing IoT. He offered the example of an oil and gas company that deploys a critical sulfur sensor in the field.

“If someone messes with that sensor data, they can manipulate the market,” Knopf said. “These are the IoT scenarios that need to be looked at.” He also noted that for some enterprises, those deployments can amount to billion-dollar decisions.

Sure, smart assistants can be problematic, but clearly, they’re not at the same level of risk as IoT devices that are already widely deployed in many industries — at least not yet.

The Virtual Crystal Ball

It will be exciting to see what type of role biometrics will play in securing smart assistant devices. Fauscette said there is a lot of promise in this technology when it comes to smart assistants. “As they begin to proliferate, someone will mess up or get hacked, and then we’ll see authentication creep into the discussion,” he said. “It’s a category of software that we’re so interested in and we expect a lot of change.”

We’re only in the very early stages of smart assistants in the workplace, so it’s probably too early to predict what level of impact they’ll have on enterprise security. No matter what the future has in store, fundamental security practices will go a long way. All the basics — network segmentation, understandable corporate policies and security awareness training — apply today, and that won’t change when there’s a smart device everywhere you turn.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read