The presence of internet of things (IoT) devices in employee’s homes is a neglected item in many enterprise threat models. Caution is certainly warranted here, but it’s entirely possible to improve your risk awareness and secure smart devices in a calm and measured way.
Overlooking privacy and security risks has consequences. It’s in everyone’s best interest to consider the potential impact of every point of data output in your technological ecosystem. Any of these devices could affect the security of your digital connections. To minimize both personal and enterprise risk, it’s important to adhere to the following IoT security best practices.
Inventory Smart Devices in Your Environment
The first step in assessing your smart device risk is to list every device. After a device is installed, it can be easy to forget that it’s even there, so a thorough examination will be needed.
Recalling which IoT devices you’ve paired with your phone or computer and which ones are connected to your wireless network can be made easier by taking a moment to connect them securely when you set them up. You can double-check your memory by doing the following:
- Walk around your home to identify any devices that are connected by wire.
- Check all your mobile devices, laptops and desktop computers to determine which devices have been paired via Bluetooth.
- Check your router’s web interface to see which devices are connected via Wi-Fi.
In my home, for example, I’m primarily concerned with just a few different types of IoT devices: cameras that allow me to watch my chickens from inside my house or when I’m away, entertainment streaming devices and my fitness tracker.
Identify Potential Risks to Personal and Enterprise Data
As you make a list of all IoT devices in your environment, be sure to note their functionalities and what data they store as well. You’ll also want to record which apps and online accounts are connected to them.
Here are a few questions to help get you started:
- Does the device have a camera or a microphone?
- Does it record your location?
- Does it store or record health data?
- Does it connect to an app or online account that stores payment card details?
- Does it store contact information?
- If compromised, could it lead an attacker straight to the corporate network?
You might need to look up the specifications for your devices, as they may have more functionality than you realize. Review app permissions thoroughly to see where they are storing information you might have forgotten about. It’s best to proceed as if there were few security controls on every device, because this may indeed be the case. Assume that you’ll need to provide security controls yourself.
If you have any home cameras, for example, do they gather audio and video only when you request a live feed, or all the time? Do you have a fitness tracker storing personal health information? Some devices may use apps or other software to connect to online accounts that record payment or contact information, so check the terms of service for any data sharing with third-party vendors and look into their individual security levels.
Mitigate Known IoT Security Risks
There are a lot of steps you can take to improve your home’s IoT security, and therefore, your organization’s security when working remotely. The first, and arguably the easiest, is improving authentication for every device. Enable two-factor authentication (2FA) wherever it is available, and be sure to choose strong and unique passwords and replace any default admin passwords on your devices.
To improve the security of devices that could be misused, consider temporarily or permanently disabling certain functionalities to reduce their risk potential. You could, for example, disable video storing for certain home cameras if you have no desire to review the recordings later.
You can (and probably should) turn off home assistants and any other nearby devices that use microphones or cameras while you’re on conference calls for work. That way, if someone is able to access your audio or video without permission, they won’t be able to see or hear you discussing sensitive work-related information.
Putting smart devices in a separate, more restricted area of your home network, such as an alternate Wi-Fi network or smart home hub, can enable you to set more restrictive permissions for those devices than for the rest of your network. This can help you prevent attackers from gaining access to your IoT devices and moving into other, more sensitive areas of your environment or even corporate networks.
Minimize Your Data Output
You may want to consider not filling out certain requested fields on digital forms or filling them with made-up data. Some data is critical to the functionality of smart devices, but most devices request more information than they strictly need. Some payment cards will now allow you to create a unique, “virtual” card number that’s easier to replace if a breach occurs, according to Credit Karma.
Printers are known to store a lot of data in the form of contact information (which may be kept permanently) and document contents. You can purge data from documents that you’ve printed or scanned by unplugging your printer for a minute or so after you use it.
Data sharing will undoubtedly mitigate certain risks on a societal scale, but it’s important to balance the advantages of sharing against the potential risks. Sharing data from your health care or fitness device could help with population health initiatives, but your decision about whether or not to participate in these projects will necessarily depend on your specific threat model.
Whatever you decide to do to improve smart device security in your home office environment, do it with a sense of calm. Panicked decisions are seldom made well, and important details can be lost in a rush. In the case of IoT security, it’s better to take a little extra time and be thorough.
Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She watched as the internet grew from small, loc...