The presence of internet of things (IoT) devices in employee’s homes is a neglected item in many enterprise threat models. Caution is certainly warranted here, but it’s entirely possible to improve your risk awareness and secure smart devices in a calm and measured way.

Overlooking privacy and security risks has consequences. It’s in everyone’s best interest to consider the potential impact of every point of data output in your technological ecosystem. Any of these devices could affect the security of your digital connections. To minimize both personal and enterprise risk, it’s important to adhere to the following IoT security best practices.

Inventory Smart Devices in Your Environment

The first step in assessing your smart device risk is to list every device. After a device is installed, it can be easy to forget that it’s even there, so a thorough examination will be needed.

Recalling which IoT devices you’ve paired with your phone or computer and which ones are connected to your wireless network can be made easier by taking a moment to connect them securely when you set them up. You can double-check your memory by doing the following:

  • Walk around your home to identify any devices that are connected by wire.
  • Check all your mobile devices, laptops and desktop computers to determine which devices have been paired via Bluetooth.
  • Check your router’s web interface to see which devices are connected via Wi-Fi.

In my home, for example, I’m primarily concerned with just a few different types of IoT devices: cameras that allow me to watch my chickens from inside my house or when I’m away, entertainment streaming devices and my fitness tracker.

Identify Potential Risks to Personal and Enterprise Data

As you make a list of all IoT devices in your environment, be sure to note their functionalities and what data they store as well. You’ll also want to record which apps and online accounts are connected to them.

Here are a few questions to help get you started:

  • Does the device have a camera or a microphone?
  • Does it record your location?
  • Does it store or record health data?
  • Does it connect to an app or online account that stores payment card details?
  • Does it store contact information?
  • If compromised, could it lead an attacker straight to the corporate network?

You might need to look up the specifications for your devices, as they may have more functionality than you realize. Review app permissions thoroughly to see where they are storing information you might have forgotten about. It’s best to proceed as if there were few security controls on every device, because this may indeed be the case. Assume that you’ll need to provide security controls yourself.

If you have any home cameras, for example, do they gather audio and video only when you request a live feed, or all the time? Do you have a fitness tracker storing personal health information? Some devices may use apps or other software to connect to online accounts that record payment or contact information, so check the terms of service for any data sharing with third-party vendors and look into their individual security levels.

Mitigate Known IoT Security Risks

There are a lot of steps you can take to improve your home’s IoT security, and therefore, your organization’s security when working remotely. The first, and arguably the easiest, is improving authentication for every device. Enable two-factor authentication (2FA) wherever it is available, and be sure to choose strong and unique passwords and replace any default admin passwords on your devices.

To improve the security of devices that could be misused, consider temporarily or permanently disabling certain functionalities to reduce their risk potential. You could, for example, disable video storing for certain home cameras if you have no desire to review the recordings later.

You can (and probably should) turn off home assistants and any other nearby devices that use microphones or cameras while you’re on conference calls for work. That way, if someone is able to access your audio or video without permission, they won’t be able to see or hear you discussing sensitive work-related information.

Putting smart devices in a separate, more restricted area of your home network, such as an alternate Wi-Fi network or smart home hub, can enable you to set more restrictive permissions for those devices than for the rest of your network. This can help you prevent attackers from gaining access to your IoT devices and moving into other, more sensitive areas of your environment or even corporate networks.

Minimize Your Data Output

You may want to consider not filling out certain requested fields on digital forms or filling them with made-up data. Some data is critical to the functionality of smart devices, but most devices request more information than they strictly need. Some payment cards will now allow you to create a unique, “virtual” card number that’s easier to replace if a breach occurs, according to Credit Karma.

Printers are known to store a lot of data in the form of contact information (which may be kept permanently) and document contents. You can purge data from documents that you’ve printed or scanned by unplugging your printer for a minute or so after you use it.

Data sharing will undoubtedly mitigate certain risks on a societal scale, but it’s important to balance the advantages of sharing against the potential risks. Sharing data from your health care or fitness device could help with population health initiatives, but your decision about whether or not to participate in these projects will necessarily depend on your specific threat model.

Whatever you decide to do to improve smart device security in your home office environment, do it with a sense of calm. Panicked decisions are seldom made well, and important details can be lost in a rush. In the case of IoT security, it’s better to take a little extra time and be thorough.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen. Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…