blog hero2x
Data Security & Privacy

How to Keep Employee IoT Devices Safe in the Workplace

By Josh Young Apr 06, 2017

iot 3

Current estimates place the number of internet-connected devices in the world at 15 billion, and Cisco projects that number will increase to 50 billion by 2020.

Unfortunately, many of these "smart" items lack sufficient security protocols.

According to research conducted by Hewlett Packard Enterprise (HPE), 60 percent of the tested IoT devices raised "security concerns" with their interfaces, including poor session management and weak default credentials. And 80 percent of devices either required no password or permitted passwords of insufficient complexity, such as "1234."

Given that these passwords were often replicated across the device and associated cloud services and mobile apps, this weakness should be particularly concerning.

You're ready for the Internet of Things, but are you prepared for whatever else the future will bring? Read: 2017 Cybersecurity Threats: What Every CISO Needs to Know

Last year, cybersecurity company Bastille highlighted a set of surprising security vulnerabilities that could be found in most wireless, non-Bluetooth mice and keyboards. One set of vulnerabilities, known as "MouseJack" allowed hackers to add keystrokes and type on a victim's machine from up to 100 meters away using a device that cost as little as $15. While the "KeySniffer" vulnerability let attackers track every keystroke typed by the victim, potentially capturing confidential data or passwords.

Considering the poor security standards set by many IoT devices, it should come as no shock then that these smart tools are often co-opted into botnets and exploited during distributed denial of service (DDoS) attacks. In fact, analysts at Gartner, Inc. predict that more than 25 percent of cyberattacks will involve IoT devices by 2020.

How Should Your Business Respond to the Internet of Things?

Check agreements

Whenever your organization introduces any new hardware -- even if it's just a smart kitchen appliance or new tv for the breakroom -- thoroughly review and evaluate any associated data agreements. Know what information is being collected, where it goes, and who can view it.

Of the various devices evaluated by HPE in the previously mentioned study, 90 percent collected at least one piece of personal information either through the device, the cloud, or the associated management app.

Train your staff

Routine, formal data security training is now a requirement for any business. You need to educate your employees on the risks of using their personal devices to access company-owned information.

Similarly, without a solid understanding of the importance of password management, data encryption requirements and general cybersecurity, employee negligence and naiveté will create countless opportunities for data breaches and other exploitations by criminals and hackers.

Consider home offices

With the increase of smart devices in the average home, companies now need to worry about cross-contamination -- particularly if an employee uses an Internet-capable device both in their home network and in the office.

If your business has a bring your own device (BYOD) policy in place, expand the requirements and oversight of this program to any smart device. Your IoT policy should define:

  • Who is authorized to introduce IoT devices to the network
  • Which devices and applications are permitted
  • Which websites or cloud services can employees use for business purposes
  • What are the consequences for failing to follow company policy

Restrict public access

Of course, while users will often give at least some consideration to network security for their home environment, this standard of scrutiny drops considerably when using public WiFi networks, such as at the local coffee shop. And now that several car manufacturers are turning personal vehicles into mobile hotspots, the temptation to connect to an unsecure network will only increase.

This trend is particularly frightening given that 70 percent of IoT devices tested by HPE failed to encrypt information that was transmitted via the internet or local networks.

To protect your company's data, make it clear to your staff that when connecting to internal systems from outside of the workplace, they need to comply with strict security guidelines. Require the use of virtual private networks (VPNs) and mandate that any company-supported IoT devices offer encryption capabilities.

Monitor your environment

The addition of these devices to your network is inevitable, so your business should be proactive and invest in the monitoring and management framework necessary to track these increasing connections.

Know what's on your network, and actively monitor who is connecting to your key systems. Establish a tiered security architecture, and configure connection protocols to bounce non-authorized devices.

The Next Step

While the Internet of Things (IoT) offers countless opportunities for innovation and efficiency, the proliferation of internet-connected and remotely-accessible electronics also poses an ever increasing challenge to your company's network security.

Workplace Answers &
Click 4 Compliance Join Forces

We’ve created the world’s most comprehensive and engaging online compliance training library for companies around the globe.

Learn more View courses

We're sorry this resource is no longer available, we've redirected you to our Resource center.