As if there aren’t enough challenges in securing your IT environment these days, now you hear Jerry in Accounting saying “Hey, Alexa!” as you walk by his office. The Internet of Things (IoT) is quickly coming to your business. Just like the BYOD (Bring Your Own Device ) onslaught with a mobile phone in every pocket, these IoT devices are popping up on networks and if you have not already seen this, you are likely to sooner than later.
What is meant by Internet of Things?
Let’s back up a minute to make sure that IoT devices can be defined. Typically, these are non-traditional appliances that are becoming internet connected. That Nest thermostat, the camera system at your shipping room door, Amazon Alexa and Google Mini, even your coffee maker, are all examples of devices that are showing up in your offices.
Similar to BYOD, there is a likelihood that your IT security is not fully prepared to accommodate these devices. Should you ban them outright? That is a strategy that was quickly overwhelmed in the era of BYOD and the mobile workforce. Many employees expect the same creature comforts they enjoy in their connected homes. Beyond comfort, there may even be a business use case where you need these IoT devices in your work environment. Also, the simple fact is that the next refrigerator you purchase for the break room will only be available with Internet capabilities built-in.
What can be done to securely allow these IoT devices at work?
A simple question may be whether you really need this device at work, however, with competition for qualified employees growing, these devices are becoming recruiting and retention perks to keep the staff happy. The good news is if you get out in front of this with the administrative and technical controls you may already have in place, you can accept these devices into your business and control the security risks.
Scan for Default Credentials
IoT devices may be inherently insecure particularly if the default username and password has not been changed. There is a free scanning tool called IoTSeeker from Rapid7 that will scan for specific IoT devices looking for default credentials. An effective first step is to ensure any IoT device brought into the office has had the default credentials changed and the password is sufficiently complex and lengthy.
Automate Security Updates
The IoT device should support automated security updates for the firmware. Ensuring that these devices are patched regularly is another key component, just like any device on your network.
Speaking of being on your network, ideally all IoT devices should connect to their own VLAN and be isolated from your critical applications and data. You may already have a guest WIFI network that can be used, however having IoT further isolated is the best practice in reducing your risk.
Finally, regular vulnerability scanning of your network should include these IoT devices to ensure un-patched risks can be uncovered and remediated.
IoT devices are here to stay and once the genie is out of the bottle at work, it is very difficult to stop them. Be proactive and have a plan as to where security fits for addressing this new risk and you can be ahead of the curve before you go by Jerry’s office and ask Alexa to play “Funky town”.