How many connected devices have you added to your household since March 2020? Be sure to count fitness trackers, speakers, gaming machines and even your Tesla, if there’s one in your driveway. Were you one of the many people who waited months for a Peloton? Don’t overlook your new bike. Now add in all your voice-based assistants, such as Google Home and Alexa. One more thing: don’t forget to check in your kids’ rooms. These might make a difference to your employer’s IoT security.

In the pandemic, many people purchased new connected devices for their personal entertainment and to make daily life easier. Ordr’s report Rise of the Machines 2021: State of Connected devices IT, IoT, IoMT and OT found that there were two times more personal devices this year than in 2020.

IoT Security From Home to Work

Those devices have an impact on cybersecurity. Yes, most companies have a policy that employees aren’t supposed to connect personal internet of things (IoT) devices to the work network. But that doesn’t stop everyone. The Ordr report discovered that many businesses have unauthorized personal devices connected to their network (referred to as shadow devices) at any given time. This isn’t referring to legitimate bring your own device (BYOD) cases, like using your personal phone for work, but instead devices connected to the internet without a business purpose. (BYOD security should also be on your mind, but it’s not exactly the same as these unintended connections.)

Infoblox found that one-third of companies in the U.S., UK and Germany have more than 1,000 shadow devices connected to their network on a typical day. In addition, 12% of UK organizations report having more than 10,000 shadow devices on any given day.

What makes someone decide to connect their Peloton to their work network? And why don’t organizations actively police this? It’s hard to know for sure. Work and home have blurred in the pandemic, which has continued for almost two years. It follows that some of the connections that put IoT security at risk are mistakes. Others are likely on purpose. For example, people might want the advantage of higher performance and network speed. I mean, who wants a frozen screen during a workout?

Enterprise Network Performance and Security

How does this situation impact the IoT security of the enterprise network? Not surprisingly, the increase in devices requires more bandwidth, which affects the network performance. This also compounds the existing problem of Zoom meetings taking up more bandwidth and causing network issues. The result is slower response times and lags in applications. A few seconds here and 10 seconds there seems small. However, the time spent over thousands of employees throughout the day quickly adds up to significant productivity loss. Not to mention employees who feel they don’t have the tools — a reliable and fast network — to do their job properly are likely to not be as satisfied and engaged in their jobs or with their employers.

Personal devices connected to enterprise networks do create security risks. How, exactly? While organizations focus on IoT security for business-related connected devices, they don’t take the same precautions with personal devices. After all, in most cases, they don’t even realize the devices are connected to the network.

The Infoblock report does detail the security issues caused by shadow devices, including data infiltration, direct denial of service, botnet armies and ransomware. While each type of attack is a bit different, all have a common theme. The attacks start by breaking into a poorly-secured IoT device. Most IoT devices designed for personal use do not meet enterprise security requirements. In other cases, the user does not correctly configure and secure the device.

Is the increase in cyberattacks since the pandemic began related to shadow devices? Maybe, but it’s hard to say.

How to Mitigate Overload and Risk

Most organizations already have a policy forbidding personal devices on the corporate network. Now, businesses need to enforce those existing policies. If you don’t have a specific IoT security policy, now is the perfect time to write and roll one out. The issue of shadow devices will only grow into a bigger problem from here.

Communicate the new policy, or remind employees about the existing policy. That way, people can (hopefully) voluntarily disconnect their shadow devices from the network. Be sure to include specific types of devices. In addition, request that everyone checks all connected devices in their home to make sure none are connected by mistake. You can increase compliance and reduce support calls by including directions for how to check the connectivity of common devices.

Once everyone is aware of the policy, the next step is to gain visibility of all devices connected to the network. Many organizations use an on-premises IP address management system (IPAM) to help with this task. Once you’re aware of all connected devices, you can determine which employees still have unauthorized devices connected to the network. You may need to check IP addresses. Then, you can get in touch directly with those employees to remove those devices.

Make IoT Security a New Year’s Resolution

By continuing to monitor all connected devices and following up on shadow devices, you can improve your network’s performance and security. However, addressing shadow devices is not a one-time event. You will need to always monitor and follow up regularly on personal devices connected to the network. Many people get new connected devices for the holidays. So, consider sending out another communication when employees return to work the next year. You should then also closely monitor devices during the first few weeks in January. That way, you can make sure all employees followed the directions you provided.

It’s unlikely you will be able to remove all shadow devices from your network. However, all organizations can significantly reduce the risk and impact through education, monitoring and follow-up.

Find out more about unified endpoint management solutions.

More from Data Protection

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today