GlobalSign Blog

24 Apr 2018

Common Sense Security Tips for IoT in the Office

The Internet of Things (IoT) is no longer a fad. It is here to stay. But as you’d expect with technology that thrives in inter-connectivity, it can be a target of malicious programs and attacks. Combine this with BYOD policies of multiple companies and you can have a security nightmare on your hands. Hackers can target the weakly secured devices your employees bring to the office and, assuming they’re connected to your corporate networks, can use them as a gateway into your systems.

It is not difficult to see that more attacks in the future will target IoT technology. The very thing that makes it so appealing – its ability to connect various devices and systems - also makes it susceptible to attacks. In addition to the devices themselves being affected, either used as a backdoor for hackers or enslaved as part of a botnet, they can also put sensitive information in danger of being illegally accessed or intercepted while in transit.

So, how do you protect your business from IoT threats while enjoying the benefits that IoT devices bring in terms of inter-connectivity and convenience?

Well, here are some tips:

Limit IoT Devices at Work

Just because there is a BYOD policy, it shouldn’t mean that employees can just bring any device they have and connect it to the office network.

IoT wearables, in particular, have several security vulnerabilities that can put an organization in danger of breaches. Many of these devices store and transmit data without encryption, often with no password or biometric authentication. It also connects to your smartphone through unsecure connections like Bluetooth or NFC, making it particularly vulnerable to brute-force attacks even more.

The main data at risk is the employee’s own personal information because that is what is usually used in the IoT wearables, but there are other dangers as well. In 2014, white-hat hackers exposed vulnerabilities in IoT light bulbs to expose the Wi-Fi password. Even worse, once a device is compromised it can probe other devices connected to the network and put them at risk as well.

So, as much as possible, limit the IoT devices that connect to your network or, at the very least, connect them to a separate network, which brings us to the next tip.

Use a Separate Network

You know when you create a separate network that can only be accessed by guests so that they have limited to no access to your business’ main network?

You can do the same for IoT devices. You can create a separate network that is dedicated to you and your staff’s IoT devices. This way, you are allowing the use of such devices within your premises so your employees are happy, without putting your main network at risk.

This is one of the easiest ways to protect your main network from IoT threats.

Use Strong and Unique Passwords

Like any security measure, it always starts with a strong password. The same goes for IoT security. Encourage your employees to use strong and unique passwords, especially if they are connecting their devices over a Wi-Fi network.

The massive Mirai DDOS (distributed denial-of-service) attack in 2016 was specifically designed to probe IoT devices with weak passwords and out-of-date versions of the Linux Kernel. It primarily infected routers and IP cameras and used it to flood DNS provider DYN. It took down a number of major websites like Etsy, Shopify, Twitter, and Spotify. In the end, the botnet spread to 380,000 devices.

In addition, these easy-to-hack IoT devices can also be used for corporate espionage. Smart cameras, mics, and speakers with weak passwords can be used by malicious parties to capture or record sensitive corporate information.

It should go without saying that you should ensure any connected device you bring into the workplace for corporate use – things like projects, speakers, and even things like coffee pots or vending machines – uses a unique, strong password and not the default factory credentials it shipped with.

Consider these guidelines:

  • Passwords should be a combination of alphabetical (upper and lowercase), numerical, and special characters.
  • Each device should have a unique password. Do not use the same password on multiple devices.

Find more tips for creating strong passwords here.

Do Not Use Universal Plug and Play

Most IoT devices have universal plug and play (UPnP) features that make them easier to get connected to other devices. It makes it pretty easy for different devices like routers, printers, cameras, and others to discover and connect with each other without complex configurations.

The problem, however, is that it also makes your device a little too open. Your device becomes pretty easy to discover for everyone, including malicious parties. It is like putting a welcome sign before hackers, telling them you’re open for business.

So, while it is convenient, it is can also make you vulnerable and open to attacks. I suggest you turn UPnP off and take the time to configure set up yourself.

Always Update Firmware

Just because you have security features on your device doesn’t mean you will automatically be safe.

Like your PC software, it is good practice to always update your IoT devices’ firmware. These patches address bugs and other security-related issues, which are always evolving. Neglecting these updates makes it easier for your device’s security to fail because it is unable to recognize new forms of attacks.

Automate your updates; or better yet, check the manufacturer’s website regularly or contact them directly to see if your device has the latest versions or if you need to download the most recent one.

Integrate with Secure Cloud Services Only

Cloud-based business app providers have recognized that IoT can add a layer of efficiency in business operations. Amazon’s Alexa for Business was actually launched late last year to take advantage of this. It integrates with some of the most popular cloud apps for business like the RingCentral business phone system, Microsoft Office 365, the G Suite line of productivity apps, and Salesforce’s customer relationship management app.

These services, however, have very strong encryption and data protection features. You can’t say the same of every cloud service out there.

The problem is that a lot of IoT devices require a cloud service that is not as secure as the services mentioned above. You may be syncing sensitive data and sharing more information without really meaning to.

Make sure that you read up the entirety of the cloud service’s privacy policy, including their encryption and data security features.

IoT is supposed to improve and simplify how things are done. The technology, however, is still in its infancy and there are still a lot of security concerns surrounding it. Make sure that you are on top of this because if you’re not, it will turn into a nightmare instead of a convenience.

About the Author

Mark Dacanay is a Digital Marketing Professional who has been working with a B2B company offering cloud-based services for more than 5 years. He is obsessed with anything about the cloud – the technology, not the fluffy stuff in the sky. You can reach him through Twitter and LinkedIn.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign

Share this Post

Write for Us

Apply Now