Connected systems are assisting organizations with managing the shift from the office to home working. The speed at which this shift had taken place, for many, has not been out of choice but rather necessity. However, these connected systems, Internet of Things (IoT), and smart devices could result in profound security implications if not given due consideration and if they are not appropriately managed. Notably, this shift to home working seems to be here to stay and will, for many, likely be out of choice rather than necessity going forward.
Vulnerabilities are expanding, and security must adapt
The move to remote working has meant that the robust security available to employees at their offices has changed, and the area of vulnerability has broadened with the inclusion of all our remote working locations (homes) and the multitude of devices (connecting of IoT and smart devices) and services being used. Hackers are exploiting the weaknesses resulting from this shift, and organizations are being exposed in ways that previously would not have been on their radar.
It is not uncommon to see a wide variety of IoT devices embedded in our homes, from household appliances to connected cars. People use health and medical devices, environmental controls, gaming and media devices, and cameras and access systems. Hackers are using this growing vector for their attacks too.
Moreover, security protocols, for the most part, have remained at the office, and employees are adopting technologies, using devices and services without understanding the security threats they present. It has not helped that many of the technologies and services were unprepared for the shift and the massive uptake in services, and many were lacking the necessary security needed to protect the user and their organizations.
It’s especially concerning that with many devices interconnecting and automatically communicating with one another, tasks including updating, monitoring, managing, and securing remains an afterthought or are being overlooked entirely.
IoT devices are coexisting in our homes and offices, and to improve our security posture, organizations must take back some form of security control underpinned by a proactive approach.
IoT devices and their lack of security
IoT has abundant potential; however, for the most part, it lacks the necessary security measures, which could impact an organization’s security. IoT devices are a route by which hackers can access valuable information.
As IoT devices have gone mainstream without focusing on security, organizations need to gain visibility of IoT devices as a priority. As these devices function to provide accessibility and connection, an unsecured IoT device could compromise an organization’s entire network. Moreover, if employees working remotely have their devices connecting to the company network, the company may be vulnerable to attack.
Furthermore, not all employees are tech-savvy, which means that security is not at the forefront of what they do. They do not change the default passwords and are not aware of the threats and risks. The workforce itself is often the most significant security vulnerability.
IoT security risks
IoT devices are difficult to protect as they lack security guidance. For manufacturers, especially in the early days of development, the devices’ security was not a priority. Many were released with default passwords, which users did not change. This resulted in security issues and many devices — “ticking time-bombs” — being left open to hackers within people’s homes. With many devices not manufactured inherently secure, they require manual security updates, and users by default forego them in the same way that they forego changing the default passwords. Through lack of education regarding IoT and the insufficient security guidance provided, the issue persists.
The risk that IoT brings to organizations through remote working must be assessed. Organizations need to evaluate the risk that each IoT device may cause to the confidentiality, integrity, and availability of data. Companies should put controls in place and secure access points as appropriate.
Measures to protect the network
Ensure employees know the risks and vulnerabilities that IoT devices pose to companies, their networks, and valuable information. Educate employees on data security and the importance of it. Educate about home network risks and the need to ensure that all devices and services, including those belonging to children, do not open up the organization to security-related issues. Regarding training, be proactive. Many robust security training options exist, but the proactive approach from leadership to foster a security culture within the company is often lacking.
Remote workers’ responsibility
It is challenging for organizations to manage security within an employee’s homes effectively. Therefore, regarding IoT, employees working remotely should assume a level of responsibility to improve their home networks’ security posture. Everyone has a part to play to ensure adequate security.
Essentially, within the home, the employee would need to take on the role of IT technician and assessor to some degree for their IoT systems. This goes hand in hand with education. So, educating employees on aspects including the importance of changing default passwords of devices and routers, for example, using multifactor authentication (MFA), and best practices regarding password use and management. Informing them on actions like turning off smart speakers during company calls and the benefits of segmenting their home networks to separate IoT devices from company assets are all steps in the right direction. Additionally, educating them on the necessity to take notice of and pay attention to their digital footprint. Moreover, on being vigilant of attempted attacks, including phishing attempts and targeted IoT attacks and IoT security threats and risks.
Require remote users to utilize remote monitoring software. This may seem an over-the-top approach for some, but it is a progressive security measure for remote working. Services can actively monitor the behavior and pick up any anomalies. Through data collection and analysis, “normal behavior” can be identified for each user profile, and anything out of the ordinary can be detected and acted upon. Moreover, alerts can be set for when specific data is accessed or moved. This is a useful measure to protect against data loss. Endpoint monitoring tools can be used to monitor any malicious IoT device traffic. They can isolate device-level risk through application and data security on IoT devices on the home network.
Identity and access management controls
Gaining visibility of IoT devices is essential to manage and secure them effectively. Done correctly would result in the implementation of robust identity and access management controls and monitoring sensitive data flowing through IoT systems.
Avoid automatically trusting devices
As part of gaining visibility of IoT devices, devices connecting to the organization’s network mustn’t be trusted by default. Trust decisions should be based on where the device is connecting from and its purpose or function. The device’s value and the potential risks posed by it should be continually assessed, and decisions made regarding its requirement.
Although workers are remote, access to data can be managed appropriately to accommodate the organization’s risk appetite by managing permissions. Determining who requires access to which information and restricting access as needed is required. Remember to factor in the rule of least privilege, never allow more access than is necessary as per job function. It’s a healthier approach to enable access when appropriate on request rather than to allow complete access by default to all employees.
Home network policy for IoT devices
It may not be appropriate for an organization to inhibit remote workers from having IoT devices on their home network. However, as IoT devices are being used within employees’ homes, it is beneficial to include a section within the policy for remote/home workers to highlight the security requirements that IoT devices must satisfy before the organization’s network can be accessed. Education in this area is essential. In addition to incorporating it in policy, it is important that employees are educated on it and made aware of their responsibilities in that regard. While employees are prompted to adhere to the policy, it is up to the company to adapt the network accordingly. Therefore, an organization needs to ensure the necessary training is given to employees about IoT devices and security awareness.
Use encrypted networks for remote workers. This is an effective way to introduce an extra layer of security. Remember, layering defenses often improve security. Each layer brings its own unique control but together works to provide a robust security solution. Utilizing a virtual private network (VPN) can safeguard the network when accessed as all connections and communications are encrypted. Therefore, no matter the IoT connectivity within employees’ homes, a VPN can provide a security level through the utilization of encryption.
A proactive security approach
Remote working has resulted in expanding the IoT ecosystem and the time employees’ IoT devices spend on the same network as company devices.
Hackers exploit weak authentication of home setups to target networks and valuable data and use IoT devices within our homes as footholds to gain access to organizations’ assets. This is resulting in the organization’s attack surface is expanding. The likelihood of an attack on an IoT device is high. From this point, malware could move from the device to an employee’s endpoint device and laterally within the organization. If this vulnerability is not effectively managed, the consequences could be disastrous.
Through remote workers accessing their at-home networks, where IoT devices may be integrated, organizations must consider the security in a different light to see how IoT devices may impact the organization. Therefore, the organization must prioritize ways to encourage and ensure remote workers are protecting the network effectively.
Featured image: Shutterstock