In today’s hyper-digital world, it seems like everyone is depending on smart devices. Whether it’s a smartwatch with an exercise tracker, a smart coffee pot that responds to voice commands, or even a smart desk with programmable height settings, these devices are everywhere.
Even our workplace or places we visit, gym or shopping are replete with devices and sensors that connect us (living in the physical world) to the digital world. Many of these devices typically connect to your smartphone or to other smart devices through the internet, and they’re part of what’s called the Internet of Things (IoT). The “edge” is the term that is used for all digital components outside of the traditional datacenters or the cloud.
IoT devices have also revolutionized the way office workers interact with technology in the workplace, from smart thermometers and air-quality monitors to smart security cameras and door locks to E-receptionists to check in guests. But with all that IoT comes security vulnerabilities, which resulted in some 1.5 billion breaches in just the first six months of 2021.
Why so many breaches? Unfortunately, while your IT team is busy making sure your computers have up-to-date antivirus software and security patches, many of your IoT vulnerabilities might be going unnoticed until a breach occurs. Also, the teams that own these devices are small with very tiny budgets — it’s a constant challenge to update these complex devices and manage their even complex settings. If you’re going to manage this risk, you’ll need to refocus some of your resources on developing a comprehensive security strategy for all of your smart devices.
Where are you vulnerable?
Every IoT system is most vulnerable at the edge, meaning where sensors in IoT devices gather data and get it ready to send to other devices or to a central server or database. And most of these devices are “out there” — fixed to an outside wall or standing as a kiosk. Any edge device could potentially provide a malicious hacker with a gateway into the main network. And quite often, your IT team may not even know how many edge devices there are in your building at any given time, they may also not be aware of any of the vulnerabilities or aware of the risk their edge is exposed to.
For example, if your employee brings a smartphone into the office and it connects to your network, that device may immediately become a potential entry point, a vulnerability. The same goes for any other smart device. So while you may keep track of company-issued laptops with ease, IoT devices remain largely unmonitored and unnoticed — due to their sheer variety. That means it’s only a matter of time until they can become serious security threats. In fact, many IoT devices fall victim to attacks just five minutes after connecting to the internet.
Since attacks happen so fast, any vulnerabilities your devices can be exploited before you even know they exist. When you don’t know about a vulnerability until you have a breach, that’s called a zero-day attack. Zero-day attacks seem to come out of nowhere and are painfully common in the Internet of Things because of a lack of visibility; i.e., monitoring or plain visibility.
What more can you do?
Monitoring and maintaining IoT devices should be a huge priority for IoT device management in this digital age. Yet many enterprise stakeholders and IT teams don’t even know where to begin. So what are some things that are contributing to the security risk, and how can you respond to them?
If you don’t know how many (or what kind of) devices you’re dealing with, you can’t possibly maintain proper security. Start by letting your employees know that the smart devices they bring into the office could bring security risks with them. Then make sure you have visibility into all connected devices. No devices should be left totally unmonitored.
Another area that needs improvement is bridging the vast gulf between information technology (IT) and operational technology (OT) teams and processes. Many smart office devices, like HVAC systems and smart lighting systems (or even modern surveillance systems), are part of OT. So IT teams don’t have a whole lot of visibility into those systems. But OT doesn’t have the same kinds of strong security protocols as IT. So getting your IT and OT folks together to strategize can help you get a better understanding of possible vulnerabilities in your system.
What about security patching? IT teams generally keep on top of patches for computers and tablets. But who is keeping track of security patches for your IoT system and devices? Take your IoT security cameras, for example. In 2021, a critical software vulnerability in millions of IoT cameras came to light. The vulnerability, created by misconfigured encryption settings, would potentially allow malicious remote access to camera feeds. But in this case, manufacturers discovered the vulnerability before any major attacks came to light and immediately produced a security patch.
To respond properly, you would need to immediately apply that security patch. But the reality is that many team members remain unaware of upcoming patches and updates. So they don’t always apply them, and vulnerabilities that could easily be fixed end up getting exploited instead. As a result, your teams will have to manage an incident after the damage has been done instead of before. Keep a close eye on security patches and be sure to schedule updates and patching on a regular basis. A concern around patching is the entire workflow around how to patch in “waves” so as to avoid across-the-board downtimes.
Lastly, leave nothing to chance. Default security settings, such as default passwords and in some cases encryption settings, can provide an open door for hackers. So take the time to configure your devices and security settings and look for any anomalies or incorrect settings. You should also consider configuring automated alerts in the case of unauthorized changes or access.
Changes and more changes
The world of IoT changes by the minute. There are always new devices, new ways to introduce automation into everyday office work, and consequently new vulnerabilities. You’ll have to advance your security methods accordingly.
Thankfully, the same advances in technology that can bring vulnerabilities can also be used to automate security monitoring and alerts and get a comprehensive view of your IoT system. For example, you can connect IoT devices to your network and set up alerts to notify you immediately if there are any attempts at a breach. So smart office buildings can continue to advance and thrive, even in this constantly changing world of IoT security.