Employees are slowly beginning the shift back into the office, but is working from home a thing of the past? As employees and employers redefine what work from home (WFH) will look like in the future, it is a great opportunity for employee education.
Too often IoT devices are overlooked as being security threats, both in the home and in the office environments. Many of these devices have multiple applications, meaning they are just as vulnerable to attack by a threat actor. With over 20 billion IoT devices on the market in 2020, and a 300% increase in attacks, the need to secure these devices has never been more important.[i]
Protecting IoT in Home Offices
IoT devices are a concern for any business during normal operation, however, have become even more worrisome during today’s extended work from home environment. When a corporate office typically updates its hardware or onboards new IoT devices, the security and operations professionals are on-site to ensure those devices and the network are protected. When the operating model changes overnight from one office to hundreds of personal offices spread across a city, state—or even the world—the company’s control over their own cybersecurity may begin to slip.
The real threat from IoT devices is that consumers tend to assume they are perfectly safe and totally disconnected from their work network. Both claims are false. Many of these devices are produced and designed as quickly as possible in order to be first to market. This means that many have weak or even non-existent security, making them vulnerable points in home cybersecurity and tempting targets for attackers. On top of this, devices in the home usually aren’t installed by technicians with the security training necessary to protect the end user and, by extension, your data. Small mistakes like leaving ports open at a residence can quickly give a determined attacker access to your home network, if not properly defended against.
Unfortunately, the risk doesn’t end at home. Many employees are accessing their organization’s data via virtual private networks (VPN), this action increases the risk of exposing their networks to attacks. Utilizing devices like a TV, Alexa, Peloton, or even a smart refrigerator, expands the attack surface. One rogue device can spread malware or spyware through the home, to the VPN, and into a company’s network. If left unchecked, that malware can then spread across an unsegmented network, potentially leeching private or secure data from the system.
Simple Steps to Reduce Risk
While employers are re-defining their work from home policies, security threats presented by at home IoT devices continues to grow. You can significantly reduce these threats by encouraging teams to take the following simple, but impactful steps.
- Change device default username/passwords. Employees working at home may have a range of cybersecurity or technical backgrounds. One of the easiest and most effective steps you can ask them to take is to change their device usernames and passwords.
- Apply vendor patches. Another low-investment, high-return strategy is making sure your employees are keeping their IoT devices up to date. Cybersecurity moves at the speed of innovation, and when a company pushes an update to an IoT device, it may be to counteract a new threat to the device. Encouraging team members to keep devices at home up to date, provides a simple solution that protects employees, and the company.
- Change the name of the device. Many devices in an employee’s home may come with default names. A device name gives a lot of information to an attacker. If a device name can be changed, this hides many of its vulnerabilities to an attacker.
- Research IoT devices. While your company may have a log of all the IoT devices on-site, it likely won’t know what devices are operating in the homes of its employees. Rather than asking employees to audit their own devices, send out a list of devices that have been flagged as dangerous and develop a plan to help your employees minimize the risk presented.
- Investigate all device and application events. Employers don’t have visibility into home networks, devices or traffic. While this is difficult to gain, employers could consider implementing a policy that requires all company devices to have endpoint protection installed and to log into the company VPN. Doing so would then route traffic through the company network, therefore providing visibility.
While we have all experienced numerous challenges securing devices on home networks recently, there are solutions to help ease the burden. The steps outlined above describe how both employers and employees can proactively work together to harden security and reduce risk in these uncertain times.
[i] F-Secure, Attack Landscape H1 2019.