There is a hidden vulnerability in your network, it lays in wait for a hacker to activate its attack, it is none other than your employee’s smart fridge. Sound hyperbolic? Maybe so, but the reality is not too far off. As more and more devices come online and become connected to our networks each one becomes a new attack vector for a hacker to access. Consider the news story earlier this year when a fish tank was hacked and used to steal money from a casino. Now that one sounds even weirder than the smart fridge, but truth is stranger than fiction in many cases.
When connected devices are developed, there is a serious lack of regulation in place to guarantee cyber security was taken into consideration during development. Instead the devices are developed with the most basic linux operating systems with default codes that the buyers rarely ever change. IoT devices are often not considered when IT and management are talking about cyber security. Instead there is a focus on the employee’s behaviors or actions and external threats. If a hacker wants they only need to gain access to an unsuspecting device that is not watched that often. This could be the vending machine in your break room, the Wi-Fi toaster, or something as basic as a smart pen. Anything that is connected to your network can be used in an attack against the organization.
Coupled with the rise of remote work, the lack of cyber security in IoT devices can create a multiplier effect when it comes to insider threats. IoT devices pose a threat because a majority or consumer IoT devices don’t require a password and don’t encrypt communications while on a home network. Most consumers aren’t aware there are any security risks and thus don’t take any action. If a hacker gains access to one of the unsecured IoT devices on a home network they can then use that to infiltrate or monitor any communications on the home network and have access to your business network as a result.
It would be tough and raise ethical questions to ask employees what appliances they have in their homes. Instead a better approach would be to embed as much security into your networks as possible. If your employees are setup for remote work, there are some measures you can take to ensure your network and data is safe.
Protecting Your Network
Thankfully, the IoT devices in your employee’s will not be a threat if you take some precautions in your network and your remote work policy.
Home Network Policy
While it may be intrusive to know what smart appliances are on an employee’s home network it’s fair to have a policy that specifies what devices are allowed on your network when an employee is telecommuting. In this policy you should also specify security requirements the device must have set in order to be used on your network. This way if a phone, tablet, or fish tank attempts to access your network it will be flagged as unauthorized immediately.
Common oversight, but setting different permissions on a need to know basis for each role in the organization can do a lot to prevent a full data breach in the event one of your employee’s accounts gets compromised. This prevents privilege escalation and can notify administrators when unauthorized attempts to access data or folders are happening.
Encryption, Encryption, Encryption!
On your network one of the best things you can do is to ensure all connections and communications are encrypted. Don’t allow access to your network unless there is a secure line. Establishing or requiring connection through a VPN would provide security to a degree that a hacker wouldn’t be able to access communications or try to give any commands without alerting staff of a potential breach.
Whether a menacing smart fridge or a fish tank, your organization is fully capable of preventing a data breach. The IoT can provide many benefits that make people’s lives easier. However when there is such a lack of cyber security consideration from manufacturers, you bare the risk as a result. It is best to stay safe during these fast and dangerous times.