IoT Series: Risks In The Connected Workplace
In analysis / By Jonathan Camhi / 26 September 2016
In the near future, the connected workplace will help companies and their employees thrive by tracking workplace activity, space and equipment utilisation, and individuals’ work habits.
Data from connected sensors and other devices will help make work spaces better suited to employees’ needs while improving interactions between employees, managers, and customers.
However, implementing this connected workplace will be a staggering headache for enterprise IT departments – and a spectacular opportunity for hackers.
Over the years, IT departments have had to cope with massive expansions in the number of devices running on corporate networks. With the rise of remote workers, more personal laptops, desktops, and mobile devices have access to enterprise systems and databases.
IT departments have to constantly reformulate security strategies to account for more and more devices running an ever-increasing variety of operating systems.
Security teams are often not even aware of how much access different devices have to corporate systems, forcing them to constantly play catch up and handle security vulnerabilities after the fact, rather than taking a proactive approach to security.
Adding networks of connected sensors, thermostats, lights, and door locks to the workplace will mean the variety of devices and software that IT teams must secure can quickly spin out of control.
An office with 50 or 100 computers connected to its network could easily have more than 1,000 different connected IoT devices positioned around the premises. From an IT security standpoint, this can be like driving a fuel tanker into a burning house.
Traditional IT security measures like antivirus programs and regular software patching won’t work with many IoT devices. Small devices like sensors and smart lights don’t have the memory and computing power to run typical security programs, and many IoT vendors don’t regularly update their products’ software for vulnerability patches.
That means each of these small devices could represent a vulnerable entry point that hackers can exploit to infiltrate enterprise networks.
Hacking a tiny sensor that tracks activity around an office or warehouse probably isn’t a valuable proposition for most cyber criminals. But if that sensor can be used to penetrate the company’s network, then that sensor becoms a very valuable target.
Once into the network, hackers can infiltrate more valuable targets like employees’ computers or corporate databases. They can also potentially spy on network traffic to gather information about company operations for corporate espionage.
Compromised connected devices in the workplace can also put employees’ privacy at risk. Hackers that gain entry to tracking sensors around the office or store floor will gain access to the same tracking information that companies use for performance evaluations.
Hackers that get into corporate networks could also monitor data from tracking devices or break into databases where that data is stored. This can open up companies to fines and legal actions under the UK’s Data Protection Act that charges companies with safeguarding any employee monitoring data they collect.
To prevent such cyber intrusions will require security teams put in place policies and network protections that isolate vulnerable IoT devices from other assets. Network segmentation tools like firewalls and virtual LANs can isolate sensitive IT assets from vulnerable network connections like smart sensors and thermostats, preventing unauthorized access to those sensitive assets.
Companies also need to monitor the network connections to their IoT devices for signs of intrusions. If a sensor that only occasionally transmits some tracking data suddenly becomes a hub of network activity, security teams need to react quickly.
Setting up filters that alert security teams of communications between devices that normally don’t interact with each other can also provide early warning that someone has hacked a device.
Lastly, tracking data from IoT devices needs to be encrypted to prevent that data from falling into criminal hands.
These security measures and policies need to be implemented from the outset of any IoT project in the workplace so security teams can stay ahead of any breaches. Otherwise that new connected coffee machine in the office could become an open invitation for hackers to peak into your company’s network and see what they’d like to take off with.