The biggest threat to your business could be the new coffee maker in the break room. In the wrong hands, it can cause more damage than any rival company ever could.
Companies are bringing a bevy of connected devices into the workplace to boost productivity and reduce expenses. All types of office items are getting linked to the internet, including HVAC systems, connected lights, security cameras, printers, and even smart coffee machines. The growth in this area is explosive. By 2025, the smart office industry will be worth $57 billion.
However, a serious security problem has emerged as offices become more connected. These smart devices have minimal security precautions in place, creating a target-rich environment for hackers. Once a criminal compromises an IoT device within the company network, they can use that machine as a jumping off point to target other valuable data within the system.
Exacerbating the issue is that most IoT devices are usually designed for the consumer market and lack the added levels of security needed for the enterprise space. Moreover, security is not a priority for the myriad of device manufacturers desperately trying to gain a foothold in the IoT industry.
For a hacker, an office represents a much more lucrative opportunity than anything they could uncover in a single family home. Why steal one credit card number from a consumer, when you can steal 100 million card numbers from a corporation?
The number of IoT security incidents has skyrocketed. A report from security firm Symantec noted that IoT attacks grew 600% from 2016 to 2017. Additionally, a survey from Gartner found that in the last three years, almost 20% of firms had experienced at least one IoT attack.
These IoT hacks come in all shapes and sizes. The infamous Target breach where criminals stole 40 million credit card numbers was possible because hackers used the retailer’s connected HVAC system as a gateway into the rest of Target’s network. In 2016, hackers gained control of hundreds of thousands of IoT devices, like smart televisions and refrigerators. The criminals then used those smart devices to deploy an enormous denial-of-service cyber attack that temporarily crippled popular websites including Netflix, Reddit, and Twitter. Last year, 50,000 hacked printers began spitting out pages promoting a YouTube celebrity, a breach that Forbes acknowledged required only basic hacking abilities.
Now businesses are introducing smart speakers like the Amazon Echo and Google Assistant into their office environments. Last year, Amazon launched Alexa for Business, which allows companies to build personalized skills for their organization. Workers can do everything from purchase supplies with their voice to easily obtaining sales data.
However, the devices raise some thorny security issues. In 2018, Chinese researchers found a security vulnerability in the Amazon Echo, which allowed them to gain control over the device through the corresponding Wi-Fi network. Once the researchers had control, they could record audio from the speaker’s microphone and transmit that content over the internet back to the scientists. After the researchers notified Amazon, the tech giant quickly released a software patch to prevent this type of eavesdropping from occurring. While hacks on smart speakers do not appear to be a reality outside of research labs, their presence in the office raises serious security concerns. Having an Amazon Echo in the boardroom while discussing a lucrative merger could be a recipe for disaster.
Additionally, The New York Times reported that smart speakers can be vulnerable to “dolphin attacks”, which are hidden messages at high frequencies which cannot be heard by human ears. Criminals can embed these hidden commands in songs and other audio. A consumer could be listening to an edited version of a Taylor Swift song, and the inaudible message can prompt their Google Assistant to wire funds or make online purchases.
Dealing with the security concerns inherent in a connected office requires a comprehensive security strategy. However, companies can immediately take these three steps to reduce their exposure to potential hacks.
Change passwords and update software
Shockingly, most IoT models come with the same default username and password on every device. Most consumers never change these credentials, leaving the machine completely open to malicious actors. This default login information is readily available for hackers to reference on the internet. Changing passwords when initially connecting a device goes a long way in thwarting criminals. Once the smart device is installed, be sure and continuously update any software patches from the manufacturer which fix any known security issues.
Establish a Policy for IoT Devices
Senior management should devise a policy to determine which types of devices workers can bring into the office environment. When deciding on the worthiness of a device, balance the benefit of the technology with the potential risk. Be sure to find manufacturers that use strong security protocols and continuously patch known software vulnerabilities. Introducing devices from an unproven startup might be particularly risky. If that company goes out of business, their devices will be left vulnerable without anyone to handle security issues.
This process can be challenging since some hardware makers fail to release all the relevant specs on their devices. Google launched a home security system called the Nest Secure, but failed to divulge to consumers that the product had an embedded microphone.
An integral part of this policy involves educating employees about the dangers that IoT devices can pose to an organization. Some workers might be upset their favorite coffee machine is banned, but will likely be more understanding when they are informed that IBM estimates that the average cost of a data breach worldwide is $3.9 million.
Build an Independent Network for IoT Devices
Given that hackers can use unsecured connected devices as a jumping off point to access more valuable assets, businesses should create a separate Wi-Fi network for IoT devices. By building an isolated network that is insulated from the central network, they can limit their potential exposure. With a secondary network, a malicious actor that hacks the HVAC system at company headquarters won’t be able to gain access to more valuable assets.