How many connected devices have you added to your household since March 2020? Be sure to count fitness trackers, speakers, gaming machines and even your Tesla, if there’s one in your driveway. Were you one of the many people who waited months for a Peloton? Don’t overlook your new bike. Now add in all your voice-based assistants, such as Google Home and Alexa. One more thing: don’t forget to check in your kids’ rooms. These might make a difference to your employer’s IoT security.

In the pandemic, many people purchased new connected devices for their personal entertainment and to make daily life easier. Ordr’s report Rise of the Machines 2021: State of Connected devices IT, IoT, IoMT and OT found that there were two times more personal devices this year than in 2020.

IoT Security From Home to Work

Those devices have an impact on cybersecurity. Yes, most companies have a policy that employees aren’t supposed to connect personal internet of things (IoT) devices to the work network. But that doesn’t stop everyone. The Ordr report discovered that many businesses have unauthorized personal devices connected to their network (referred to as shadow devices) at any given time. This isn’t referring to legitimate bring your own device (BYOD) cases, like using your personal phone for work, but instead devices connected to the internet without a business purpose. (BYOD security should also be on your mind, but it’s not exactly the same as these unintended connections.)

Infoblox found that one-third of companies in the U.S., UK and Germany have more than 1,000 shadow devices connected to their network on a typical day. In addition, 12% of UK organizations report having more than 10,000 shadow devices on any given day.

What makes someone decide to connect their Peloton to their work network? And why don’t organizations actively police this? It’s hard to know for sure. Work and home have blurred in the pandemic, which has continued for almost two years. It follows that some of the connections that put IoT security at risk are mistakes. Others are likely on purpose. For example, people might want the advantage of higher performance and network speed. I mean, who wants a frozen screen during a workout?

Enterprise Network Performance and Security

How does this situation impact the IoT security of the enterprise network? Not surprisingly, the increase in devices requires more bandwidth, which affects the network performance. This also compounds the existing problem of Zoom meetings taking up more bandwidth and causing network issues. The result is slower response times and lags in applications. A few seconds here and 10 seconds there seems small. However, the time spent over thousands of employees throughout the day quickly adds up to significant productivity loss. Not to mention employees who feel they don’t have the tools — a reliable and fast network — to do their job properly are likely to not be as satisfied and engaged in their jobs or with their employers.

Personal devices connected to enterprise networks do create security risks. How, exactly? While organizations focus on IoT security for business-related connected devices, they don’t take the same precautions with personal devices. After all, in most cases, they don’t even realize the devices are connected to the network.

The Infoblock report does detail the security issues caused by shadow devices, including data infiltration, direct denial of service, botnet armies and ransomware. While each type of attack is a bit different, all have a common theme. The attacks start by breaking into a poorly-secured IoT device. Most IoT devices designed for personal use do not meet enterprise security requirements. In other cases, the user does not correctly configure and secure the device.

Is the increase in cyberattacks since the pandemic began related to shadow devices? Maybe, but it’s hard to say.

How to Mitigate Overload and Risk

Most organizations already have a policy forbidding personal devices on the corporate network. Now, businesses need to enforce those existing policies. If you don’t have a specific IoT security policy, now is the perfect time to write and roll one out. The issue of shadow devices will only grow into a bigger problem from here.

Communicate the new policy, or remind employees about the existing policy. That way, people can (hopefully) voluntarily disconnect their shadow devices from the network. Be sure to include specific types of devices. In addition, request that everyone checks all connected devices in their home to make sure none are connected by mistake. You can increase compliance and reduce support calls by including directions for how to check the connectivity of common devices.

Once everyone is aware of the policy, the next step is to gain visibility of all devices connected to the network. Many organizations use an on-premises IP address management system (IPAM) to help with this task. Once you’re aware of all connected devices, you can determine which employees still have unauthorized devices connected to the network. You may need to check IP addresses. Then, you can get in touch directly with those employees to remove those devices.

Make IoT Security a New Year’s Resolution

By continuing to monitor all connected devices and following up on shadow devices, you can improve your network’s performance and security. However, addressing shadow devices is not a one-time event. You will need to always monitor and follow up regularly on personal devices connected to the network. Many people get new connected devices for the holidays. So, consider sending out another communication when employees return to work the next year. You should then also closely monitor devices during the first few weeks in January. That way, you can make sure all employees followed the directions you provided.

It’s unlikely you will be able to remove all shadow devices from your network. However, all organizations can significantly reduce the risk and impact through education, monitoring and follow-up.

Find out more about unified endpoint management solutions.

More from Data Protection

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…