The presence of internet of things (IoT) devices in employee’s homes is a neglected item in many enterprise threat models. Caution is certainly warranted here, but it’s entirely possible to improve your risk awareness and secure smart devices in a calm and measured way.

Overlooking privacy and security risks has consequences. It’s in everyone’s best interest to consider the potential impact of every point of data output in your technological ecosystem. Any of these devices could affect the security of your digital connections. To minimize both personal and enterprise risk, it’s important to adhere to the following IoT security best practices.

Inventory Smart Devices in Your Environment

The first step in assessing your smart device risk is to list every device. After a device is installed, it can be easy to forget that it’s even there, so a thorough examination will be needed.

Recalling which IoT devices you’ve paired with your phone or computer and which ones are connected to your wireless network can be made easier by taking a moment to connect them securely when you set them up. You can double-check your memory by doing the following:

  • Walk around your home to identify any devices that are connected by wire.
  • Check all your mobile devices, laptops and desktop computers to determine which devices have been paired via Bluetooth.
  • Check your router’s web interface to see which devices are connected via Wi-Fi.

In my home, for example, I’m primarily concerned with just a few different types of IoT devices: cameras that allow me to watch my chickens from inside my house or when I’m away, entertainment streaming devices and my fitness tracker.

Identify Potential Risks to Personal and Enterprise Data

As you make a list of all IoT devices in your environment, be sure to note their functionalities and what data they store as well. You’ll also want to record which apps and online accounts are connected to them.

Here are a few questions to help get you started:

  • Does the device have a camera or a microphone?
  • Does it record your location?
  • Does it store or record health data?
  • Does it connect to an app or online account that stores payment card details?
  • Does it store contact information?
  • If compromised, could it lead an attacker straight to the corporate network?

You might need to look up the specifications for your devices, as they may have more functionality than you realize. Review app permissions thoroughly to see where they are storing information you might have forgotten about. It’s best to proceed as if there were few security controls on every device, because this may indeed be the case. Assume that you’ll need to provide security controls yourself.

If you have any home cameras, for example, do they gather audio and video only when you request a live feed, or all the time? Do you have a fitness tracker storing personal health information? Some devices may use apps or other software to connect to online accounts that record payment or contact information, so check the terms of service for any data sharing with third-party vendors and look into their individual security levels.

Mitigate Known IoT Security Risks

There are a lot of steps you can take to improve your home’s IoT security, and therefore, your organization’s security when working remotely. The first, and arguably the easiest, is improving authentication for every device. Enable two-factor authentication (2FA) wherever it is available, and be sure to choose strong and unique passwords and replace any default admin passwords on your devices.

To improve the security of devices that could be misused, consider temporarily or permanently disabling certain functionalities to reduce their risk potential. You could, for example, disable video storing for certain home cameras if you have no desire to review the recordings later.

You can (and probably should) turn off home assistants and any other nearby devices that use microphones or cameras while you’re on conference calls for work. That way, if someone is able to access your audio or video without permission, they won’t be able to see or hear you discussing sensitive work-related information.

Putting smart devices in a separate, more restricted area of your home network, such as an alternate Wi-Fi network or smart home hub, can enable you to set more restrictive permissions for those devices than for the rest of your network. This can help you prevent attackers from gaining access to your IoT devices and moving into other, more sensitive areas of your environment or even corporate networks.

Minimize Your Data Output

You may want to consider not filling out certain requested fields on digital forms or filling them with made-up data. Some data is critical to the functionality of smart devices, but most devices request more information than they strictly need. Some payment cards will now allow you to create a unique, “virtual” card number that’s easier to replace if a breach occurs, according to Credit Karma.

Printers are known to store a lot of data in the form of contact information (which may be kept permanently) and document contents. You can purge data from documents that you’ve printed or scanned by unplugging your printer for a minute or so after you use it.

Data sharing will undoubtedly mitigate certain risks on a societal scale, but it’s important to balance the advantages of sharing against the potential risks. Sharing data from your health care or fitness device could help with population health initiatives, but your decision about whether or not to participate in these projects will necessarily depend on your specific threat model.

Whatever you decide to do to improve smart device security in your home office environment, do it with a sense of calm. Panicked decisions are seldom made well, and important details can be lost in a rush. In the case of IoT security, it’s better to take a little extra time and be thorough.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read