IoT Security: Are Personal Devices Dragging Your Work Network Down?

November 23, 2021
| |
4 min read

How many connected devices have you added to your household since March 2020? Be sure to count fitness trackers, speakers, gaming machines and even your Tesla, if there’s one in your driveway. Were you one of the many people who waited months for a Peloton? Don’t overlook your new bike. Now add in all your voice-based assistants, such as Google Home and Alexa. One more thing: don’t forget to check in your kids’ rooms. These might make a difference to your employer’s IoT security. 

In the pandemic, many people purchased new connected devices for their personal entertainment and to make daily life easier. Ordr’s report Rise of the Machines 2021: State of Connected devices IT, IoT, IoMT and OT found that there were two times more personal devices this year than in 2020.

IoT Security From Home to Work 

Those devices have an impact on cybersecurity. Yes, most companies have a policy that employees aren’t supposed to connect personal internet of things (IoT) devices to the work network. But that doesn’t stop everyone. The Ordr report discovered that many businesses have unauthorized personal devices connected to their network (referred to as shadow devices) at any given time. This isn’t referring to legitimate bring your own device (BYOD) cases, like using your personal phone for work, but instead devices connected to the internet without a business purpose. (BYOD security should also be on your mind, but it’s not exactly the same as these unintended connections.) 

Infoblox found that one-third of companies in the U.S., UK and Germany have more than 1,000 shadow devices connected to their network on a typical day. In addition, 12% of UK organizations report having more than 10,000 shadow devices on any given day.

What makes someone decide to connect their Peloton to their work network? And why don’t organizations actively police this? It’s hard to know for sure. Work and home have blurred in the pandemic, which has continued for almost two years. It follows that some of the connections that put IoT security at risk are mistakes. Others are likely on purpose. For example, people might want the advantage of higher performance and network speed. I mean, who wants a frozen screen during a workout?

Enterprise Network Performance and Security

How does this situation impact the IoT security of the enterprise network? Not surprisingly, the increase in devices requires more bandwidth, which affects the network performance. This also compounds the existing problem of Zoom meetings taking up more bandwidth and causing network issues. The result is slower response times and lags in applications. A few seconds here and 10 seconds there seems small. However, the time spent over thousands of employees throughout the day quickly adds up to significant productivity loss. Not to mention employees who feel they don’t have the tools — a reliable and fast network — to do their job properly are likely to not be as satisfied and engaged in their jobs or with their employers.

Personal devices connected to enterprise networks do create security risks. How, exactly? While organizations focus on IoT security for business-related connected devices, they don’t take the same precautions with personal devices. After all, in most cases, they don’t even realize the devices are connected to the network.  

The Infoblock report does detail the security issues caused by shadow devices, including data infiltration, direct denial of service, botnet armies and ransomware. While each type of attack is a bit different, all have a common theme. The attacks start by breaking into a poorly-secured IoT device. Most IoT devices designed for personal use do not meet enterprise security requirements. In other cases, the user does not correctly configure and secure the device.

Is the increase in cyberattacks since the pandemic began related to shadow devices? Maybe, but it’s hard to say.

How to Mitigate Overload and Risk

Most organizations already have a policy forbidding personal devices on the corporate network. Now, businesses need to enforce those existing policies. If you don’t have a specific IoT security policy, now is the perfect time to write and roll one out. The issue of shadow devices will only grow into a bigger problem from here.

Communicate the new policy, or remind employees about the existing policy. That way, people can (hopefully) voluntarily disconnect their shadow devices from the network. Be sure to include specific types of devices. In addition, request that everyone checks all connected devices in their home to make sure none are connected by mistake. You can increase compliance and reduce support calls by including directions for how to check the connectivity of common devices.

Once everyone is aware of the policy, the next step is to gain visibility of all devices connected to the network. Many organizations use an on-premises IP address management system (IPAM) to help with this task. Once you’re aware of all connected devices, you can determine which employees still have unauthorized devices connected to the network. You may need to check IP addresses. Then, you can get in touch directly with those employees to remove those devices.

Make IoT Security a New Year’s Resolution

By continuing to monitor all connected devices and following up on shadow devices, you can improve your network’s performance and security. However, addressing shadow devices is not a one-time event. You will need to always monitor and follow up regularly on personal devices connected to the network. Many people get new connected devices for the holidays. So, consider sending out another communication when employees return to work the next year. You should then also closely monitor devices during the first few weeks in January. That way, you can make sure all employees followed the directions you provided.

It’s unlikely you will be able to remove all shadow devices from your network. However, all organizations can significantly reduce the risk and impact through education, monitoring and follow-up.

 

NewsCred System
NewsCred System is a contributor for SecurityIntelligence.