Bringing Internet of Things (IoT) devices into your workplace can unleash whole new swathes of benefits and opportunities, including increased productivity, efficiency, energy savings, better communications, happier workers, and a lot more besides. But smart devices also present new business security risks as they become the targets of malicious programs and cyberattacks. In today’s world, it’s no joke to say that the next major cybersecurity threat to your organization may come from something as seemingly innocuous as the thermostat.
The Growth of IoT in the Workplace
The number of IoT devices being connected to corporate networks continues to grow. According to a research report by MarketandMarkets, the smart office market is expected to reach $46.11 billion by 2023 – up from $22.21 billion in 2017. And it’s no surprise. Walk into practically any modern office today and you’ll likely find a huge array of smart devices –printers, cameras, lightbulbs, plugs, and even smart refrigerators and coffee machines – all of which are capable of communicating with apps and other devices through wireless networks.
These sorts of things may be categorized as repurposed smart home devices – i.e. they were initially brought to market as home-use gadgets, but have gradually found their way into the office setting (often by employees bringing them in). But they are just the very tip of the iceberg.
IoT in the workplace, of course, also includes business-specific devices – such as large-screen displays and videoconferencing setups – to which vendors are now adding additional smart functionality to make them more useful and easy to control. Things like smart desks also fall into this category, which have the ability to alert employees if they’ve been sitting too long, and can also gather data to encourage workers to improve their habits. Last year, Amazon also unveiled Alexa for Business, which allows companies to use its smart connected digital assistant in an office environment. With simple voice commands, Alexa for Business can be instructed, for example, to turn on the videoconferencing equipment, check calendars, schedule meetings, order supplies, or find an open conference room.
Then we’ve got the office building’s infrastructure. Internet-connected building management systems and energy management systems have of course been in existence for some time, controlling air-conditioning, heating, doors, power usage and office security alarm systems.
Finally, there are BYOD (employee-owned laptops, smartphones, tablets etc. used for work purposes) and so-called “shadow IoT” devices – i.e. unsanctioned personal devices such as fitness trackers, smart TVs and video game consoles – all connecting to corporate networks in the office.
Put it all together, and it seems that the IoT has ushered in a wealth of efficiency and opportunity through connectivity – but it’s also created a breeding ground for business security risks due to the plethora of new attack surfaces that are now exposed to cyber-threats.
The fact of the matter is that the very thing that makes IoT technology so appealing – i.e. its ability to connect any number of devices and systems together – also makes it susceptible to attacks. Hackers can easily target any weakly-secured devices in your office – including those that employees bring in from home – and, if they are connected to your corporate network, can use them as a gateway into your system.
Let’s consider some of the top business security risks inherent with IoT technology found in the modern office.
Business Security Risks with IoT Equipment
One of the main business security risks with many IoT devices found in an office environment comes down to the fact that they are not inherently secure. Part of the issue is that there are literally thousands of individual IoT manufacturing companies – many of which started life in the consumer market – with zero consistency between them. What this means is that each device you bring into your office – be it a smart desk, videoconferencing system, or vending machine – is likely to have its own operating system. Each will also likely have its own security measures – which are different from everything else in your office – and a different online dashboard from which it is operated.
Unlike, say, the automotive industry, where car manufacturers work together to a set of industry standards which ensure the unity of safety features such as seatbelts, tire pressure sensors and so on, the IoT manufacturing landscape is completely inconsistent at present. Things like smart lightbulbs, large-screen displays and coffee machines often target consumers not corporations, and so are not made for a specific industry purpose. Business security risks weren’t issues when these devices were being developed – who needs file protection on their smart fridge? – and so adequate protection against them are not inherently present.
Compounding the problem is the fact that many of these devices don’t even have configurable security. Some even have a hard-coded password that can’t be changed without a firmware update, which may not be available because the vendor simply hasn’t created it or the product is no longer supported. Manufacturers, of course, will take little or no responsibility if any of these devices are hacked, meaning it is entirely upon your IT department to secure them – and there are plenty of businesses out there which are too small to have any such in-house tech support at all.
An additional layer of complexity comes from the fact that there is a diverse set of technologies and connection protocols used by IoT devices, such as Wi-Fi, Bluetooth, RFID and ZigBee. Each type of connectivity presents its own business security risks, and come with different administrative tools. Trying to stay on top of it all as businesses have fun making their offices smart is difficult at best – and without dedicated resources, it’s pretty much impossible.
As the number of IoT devices in the workplace increases, new types of cyberattack emerge, creating new business security risks. Distributed Denial of Service (DDoS) attacks are one such example. Here, vulnerable connected devices are hijacked by hackers and used to send repeated and frequent queries that bombard the Domain Name Server (DNS), causing it to crash.
There have been a number of high profile cases in recent years of organizations succumbing to such business security risks. In 2016, for instance, the IoT_Reaper botnet shut down major internet providers in North America and Europe by taking over millions of IoT devices – mainly IP security cameras, network video recorders and digital video recorders – and using them for a DDoS attack.
Last year, a US university campus suddenly found over 5,000 systems from its network dedicated IoT infrastructure – including connected lightbulbs and vending machines – were making hundreds of DNS queries every 15 minutes to sub-domains related to seafood. The botnet spread across the network and launched a DDoS attack, resulting in slow or completely inaccessible connectivity across the campus.
These types of attack are on the rise, are relatively cheap for hackers to launch, and are one of the major business security risks presented by IoT in the workplace.
Spy Tech and Ransomware
Many IoT devices incorporate microphones, cameras, and ways of recording their location, leaving organizations open to business security risks in terms of company secrets being exposed. But even if these devices aren’t being exploited to deliberately spy on an organization, they can nonetheless record vast amounts of data about an office and its staff, creating all sorts of privacy headaches for the company to deal with.
The presence of smart assistants and smart speakers in the office environment – fully-equipped with sensitive microphones and voice recognition technology – unleashes new business security risks in the sense that anything discussed can be recorded, analyzed, and stored in a remote server.
Building management systems, too, are often found to be badly configured and easily accessible from the internet, leaving vital systems open to surveillance or meddling from malicious third parties. A hacker could, for instance, lock all the doors in an office building, or cut all the power.
In addition, IoT devices can also be targeted with ransomware. Researchers at Def Con demonstrated this by gaining full remote control of a connected thermostat. In a real-life scenario, such an attack could result in an office becoming uninhabitable, and open up an organization to ransom demands to regain control.
The Expanding BYOD Challenge
Today, employees bring a plethora of connected devices with them to the workplace. In the past, these have largely been confined to laptops, smartphones, and tablets – but now, IoT smart office gadgets are increasingly finding their way into the office, too. Cup warmers, fans, reading lights, desktop humidifiers, W-Fi extenders – in the modern office, practically anything can turn up, and the business security risks are vast. The problem with such things is that while they may ostensibly plug into a USB port (as many of them do) to gain power, while doing so, they are in fact plugging into a data port. Employees will buy these devices cheaply from some unknown overseas manufacturer on the internet – and any could contain processing, storage, and/or a malicious payload.
While bring-your-own-device (BYOD) policies are supposed to govern safe and secure use of personal devices in the office, many don’t yet cover the relatively new category of smart office equipment. Indeed, many policies may be falling far short of the mark in protecting enterprises from IoT-based malware and exposing enterprises to a multitude of business security risks, according to a report from Infoblox.
Over a third (35%) of companies surveyed in the US, UK and Germany reported more than 5,000 non-business devices connecting to the organization’s network each day. Even small businesses – those with 10-49 employees and 50-99 employees – have a significant number of devices connecting. Respectively, 25% and 52% reported more than 1,000 devices connecting on an average day.
(Image source: infoblox.com)
82% of the 1,000 IT directors surveyed for the report indicated that they had policies for connected devices in place to protect against business security risks. Of those, 88% believed these policies were “effective” or “very effective”. However, a corresponding employee survey tells a completely different story, suggesting that IT directors are misguided in their estimation of how effective their policies are in mitigating business security risks.
Nearly a quarter (24%) of employees in the US and UK weren’t even aware that their organization had a security policy for connected devices. Furthermore, of those employees who were at least aware that such a policy was in place, a full 20% reported that they “rarely” or “never” followed it. In fact, only one fifth of respondents said that they followed their organization’s security policy by the book.
“The issue will get worse, and companies that don’t put reasonable controls and implement good practices – they’re going to have infections and they’ll be part of the attack base,” said Sean Tierney, Director of Cyber Intelligence for Infoblox.
Managing Business Security Risks Presented by IoT
IoT in the office isn’t going anywhere – nor are the inherent business security risks that come with it. So what can organizations and their IT departments do?
For starters, a straight up ban on IoT devices that cannot or will not get security patches and updates from the manufacturer must be enforced. Fans, cup warmers, reading lights? None of these things make an office particularly smart, and, frankly, allowing such business security risks into an office environment is just dumb. Next, an inventory of every smart device must be maintained. This inventory should include details about the manufacturer, how updates and security patches are handled, and what ports are used to power them.
Training regimes must also be established to ensure that all employees are not only aware of the business security risks inherent with connected gadgets, but are also adequately trained in the correct handling and usage of all IoT devices the company permits – whether issued by the business itself or brought in from home.
Strong and unique passwords also need to be mandatory – not simply encouraged. Firmware must be constantly updated across all IoT devices, and only secure cloud services with strong encryption and data protection features must be integrated with. Establishing a separate network dedicated solely to your office’s IoT devices may also be considered – this would allow the usage of all the gadgets you and your employees want to use (keeping everyone happy) without exposing your main network to business security risks.
None of these solutions are straightforward, and they will have to evolve alongside every new gadget and application that connects to the company network. Nonetheless, only the strictest policies will suffice – while the smart office may be ushering in a better work environment, addressing the inherent IoT business security risks rigorously is the only smart way to maintain it.