How many connected devices have you added to your household since March 2020? Be sure to count fitness trackers, speakers, gaming machines and even your Tesla, if there’s one in your driveway. Were you one of the many people who waited months for a Peloton? Don’t overlook your new bike. Now add in all your voice-based assistants, such as Google Home and Alexa. One more thing: don’t forget to check in your kids’ rooms. These might make a difference to your employer’s IoT security.

In the pandemic, many people purchased new connected devices for their personal entertainment and to make daily life easier. Ordr’s report Rise of the Machines 2021: State of Connected devices IT, IoT, IoMT and OT found that there were two times more personal devices this year than in 2020.

IoT Security From Home to Work

Those devices have an impact on cybersecurity. Yes, most companies have a policy that employees aren’t supposed to connect personal internet of things (IoT) devices to the work network. But that doesn’t stop everyone. The Ordr report discovered that many businesses have unauthorized personal devices connected to their network (referred to as shadow devices) at any given time. This isn’t referring to legitimate bring your own device (BYOD) cases, like using your personal phone for work, but instead devices connected to the internet without a business purpose. (BYOD security should also be on your mind, but it’s not exactly the same as these unintended connections.)

Infoblox found that one-third of companies in the U.S., UK and Germany have more than 1,000 shadow devices connected to their network on a typical day. In addition, 12% of UK organizations report having more than 10,000 shadow devices on any given day.

What makes someone decide to connect their Peloton to their work network? And why don’t organizations actively police this? It’s hard to know for sure. Work and home have blurred in the pandemic, which has continued for almost two years. It follows that some of the connections that put IoT security at risk are mistakes. Others are likely on purpose. For example, people might want the advantage of higher performance and network speed. I mean, who wants a frozen screen during a workout?

Enterprise Network Performance and Security

How does this situation impact the IoT security of the enterprise network? Not surprisingly, the increase in devices requires more bandwidth, which affects the network performance. This also compounds the existing problem of Zoom meetings taking up more bandwidth and causing network issues. The result is slower response times and lags in applications. A few seconds here and 10 seconds there seems small. However, the time spent over thousands of employees throughout the day quickly adds up to significant productivity loss. Not to mention employees who feel they don’t have the tools — a reliable and fast network — to do their job properly are likely to not be as satisfied and engaged in their jobs or with their employers.

Personal devices connected to enterprise networks do create security risks. How, exactly? While organizations focus on IoT security for business-related connected devices, they don’t take the same precautions with personal devices. After all, in most cases, they don’t even realize the devices are connected to the network.

The Infoblock report does detail the security issues caused by shadow devices, including data infiltration, direct denial of service, botnet armies and ransomware. While each type of attack is a bit different, all have a common theme. The attacks start by breaking into a poorly-secured IoT device. Most IoT devices designed for personal use do not meet enterprise security requirements. In other cases, the user does not correctly configure and secure the device.

Is the increase in cyberattacks since the pandemic began related to shadow devices? Maybe, but it’s hard to say.

How to Mitigate Overload and Risk

Most organizations already have a policy forbidding personal devices on the corporate network. Now, businesses need to enforce those existing policies. If you don’t have a specific IoT security policy, now is the perfect time to write and roll one out. The issue of shadow devices will only grow into a bigger problem from here.

Communicate the new policy, or remind employees about the existing policy. That way, people can (hopefully) voluntarily disconnect their shadow devices from the network. Be sure to include specific types of devices. In addition, request that everyone checks all connected devices in their home to make sure none are connected by mistake. You can increase compliance and reduce support calls by including directions for how to check the connectivity of common devices.

Once everyone is aware of the policy, the next step is to gain visibility of all devices connected to the network. Many organizations use an on-premises IP address management system (IPAM) to help with this task. Once you’re aware of all connected devices, you can determine which employees still have unauthorized devices connected to the network. You may need to check IP addresses. Then, you can get in touch directly with those employees to remove those devices.

Make IoT Security a New Year’s Resolution

By continuing to monitor all connected devices and following up on shadow devices, you can improve your network’s performance and security. However, addressing shadow devices is not a one-time event. You will need to always monitor and follow up regularly on personal devices connected to the network. Many people get new connected devices for the holidays. So, consider sending out another communication when employees return to work the next year. You should then also closely monitor devices during the first few weeks in January. That way, you can make sure all employees followed the directions you provided.

It’s unlikely you will be able to remove all shadow devices from your network. However, all organizations can significantly reduce the risk and impact through education, monitoring and follow-up.

Find out more about unified endpoint management solutions.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today