It shouldn’t be news to you that connected Internet-of-Things (IoT) devices are hackable; we’ve heard about hacks of baby monitors, cars, and more, and the recent Dyn attack used an “army” of over 100,000 IoT devices to overwhelm sites and servers worldwide. What you may not realize is that your business is vulnerable if just one personal or work-related IoT device is on your internal network. If that device has inadequate security, it can provide an attacker with easy access to your network as a whole. With that in mind, let’s review the implications of having unauthorized IoT devices on your network, then look at how to counteract them.
Understanding Your Risk
There are literally billions of IoT-connected devices in the world right now. An unsecured device like a fitness monitor or wireless speaker may seem innocuous, but it could be just the gateway a hacker is looking for. If an employee brings such a device to work and connects to the network but hasn’t taken the proper steps to secure the device (such as implementing all security options or not changing the default password), it could be all that’s needed for a hacker to view and possibly access any other device on the company network. On top of this issue, too many unauthorized devices on your network will eat up bandwidth and cause connection issues, impacting the productivity of everyone else on the network.
You may think you’re in the clear if you already require employees to connect personal devices to a secondary guest network, but problems on this network can affect customers or vendors trying to work on-site. Slow bandwidth will also hinder these users’ productivity, as well as leave them with a negative impression of your organization’s tech capabilities. More importantly, your employees’ IoT usage may put customers’ and vendors’ devices at risk due to the same security issues that threaten your primary internal network when the IoT devices are connected there instead.
A New Best Practice to Stay Safe
Rather than putting your primary or secondary networks at risk, we’d recommend a new IoT best practice that we hope will become a trend among businesses: Utilize three separate networks on premises.
This would include your internal network (primary) for all business-related devices, a customer or guest network (secondary) for any non-employees who need to connect when they’re on-site, and a separate IoT network for employees’ non-work devices, including their smartphones, streaming devices, and any other connected device they bring to work.
The benefits of this approach are numerous. Firstly, simply saying, “NO!” and trying to outlaw all personal devices on your internal network is just unrealistic. Many employees will think their device is an exception to the rule, or they won’t see the harm in connecting just one device to the network. But if employees have a dedicated network they are free to use their devices on, the damage an attacker can do will be drastically limited if a personal device is hacked because the hacker will be unable to reach any official business devices. Providing Wi-Fi for personal devices is also an employment perk that many millennials and others employees will view favorably, and may even come to expect from their employer.
How to Implement
It’s important to remember that you can’t just set up this new network and hit the ground running; the implementation of a segmented IoT network will require an updated and publicized BYOD policy. It needs to be made clear what devices should connect to what network, as well as what kind of usage is permitted on each network. It should be forbidden to connect a personal device to the internal network unless there is an authorized business reason for doing so.
Finally, security standards for personal devices on the network should be established. If the device can use a PIN, password, or other authentication measure, it should be active, and restricted privacy and security controls should be turned on where possible. Your goal above all else with implementing this designated network is to stop exposing your business to unnecessary risk, and it’s important that employees understand the crucial part they play in that undertaking.