Internet of Things (IoT) devices will bring a bevy of benefits to businesses, including productivity, energy savings, efficiency, safety and so much more. So it’s no wonder the smart office market is forecast to nearly double by 2023, according to a study by Mordor Intelligence.

But smart devices also present a new and growing security threat. Any smart device connected to the company Wi-Fi, officially sanctioned or otherwise, can present a risk to the network. Or, in other words, your company’s next major security risk may come from a device as seemingly innocent as the coffee machine.

In fact, the security risk from IoT devices has become one of the hottest and most vexing topics of discussion within the cybersecurity community.

Why We Need New Categories for IoT Devices in the Enterprise

Technology buyers are presented with smart devices in predictable categories, such as “device management,” “security,” “safety automation,” “heating, ventilation and air conditioning automation,” “smart ergonomics” — the list goes on and on.

From a security standpoint, however, we need new ways of thinking about workplace IoT devices — by which I mean new categories. Let’s take a closer look at four categories for smart office devices from a security point of view.

1. USB-Powered Gadgets

The bring-your-own-device (BYOD) challenge persists. In the past, we understood and could predict what endpoints employees would bring into the enterprise network. But when those devices are IoT smart office gadgets, it’s almost impossible to guess what will show up, how it will work and what the implications are for security.

The most innocuous-seeming general category of devices might be anything that gets power from a USB port. These devices include cup warmers, reading lights, fans, desktop humidifiers, Wi-Fi extenders — you name it. They don’t seem to make an office particularly “smart.”

What’s troubling about this category is that while these devices ostensibly use USB ports for power only, they are in fact plugging into a data port. Any of these devices could contain storage, processing and a malicious payload. Most are bought cheaply and manufactured overseas by no-name companies.

To an IT security professional, the practice of blindly purchasing connected devices is functionally equivalent to finding a USB thumb drive in the parking lot and plugging it in to a system inside the firewall.

2. Spy Tech

Anything with a camera or microphone could expose company secrets. We’re entering an age of smart speakers and displays, which were initially aimed at consumers but are now headed for the enterprise. These devices work normally by capturing audio with microphones and storing it in a remote server.

Of somewhat less concern are the cameras, which could be used to spy on a room in the same way that some attackers have been able to hijack the cameras in laptops. It’s very early days for these devices, and the security implications won’t be hammered out for years. In the meantime, the harvesting and off-site storage of audio, video and photographs continues.

3. DDoS Robots

Office IoT devices can be hijacked and dragooned into service as part of a distributed denial-of-service (DDoS) attack.

Last year, the IoT_Reaper botnet shut down major internet providers by taking over millions of IoT devices. It focused mostly on exploiting known security flaws and targeted mainly security cameras, DVRs, and other camera-based devices and major-brand routers.

4. Orphan Devices

The introduction of smart office devices may involve a handoff in responsibility from facilities to IT. Any office equipment that plugs into the building’s electrical outlets but not the network probably falls under the purview of facilities. Anything that plugs into the network — or plugs into a device that plugs into a network — is likely IT’s problem.

A whole range of orphan-making is taking place with a transition to a smart workplaces. Devices normally managed by facilities are increasingly connecting to the network as part of a larger push for the smart office. Yet, in many cases, these devices are still managed by facilities — or they’re left in a kind of orphan state where nobody’s really paying attention to what the devices are up to.

Let’s say conventional thermostats are replaced with “smart” thermostats, for example. Is IT involved in the purchase? Are these devices getting updates from the manufacturer? Are they getting “updates” from individuals or organizations that are not the manufacturer? Chances are, these devices are falling through the cracks with nobody managing the security end of things.

The purpose of these categories is to clarify responsibility and the actions that need to be taken to protect against the specific risks associated with each type of device.

How to Manage the Smart Office Smartly

Industry groups are working to figure out the larger issues around IoT security inside enterprises, but you can’t afford to wait. Here’s what you and your organization can do right now to protect yourselves from new threats posed by smart devices:

  • Develop an IoT strategy. This should include, among other things, a ban on devices that cannot or will not get security patches and updates from the manufacturer. It should also include a policy of disabling all unused features for smart office equipment.
  • Maintain an inventory of every smart device. Make sure the database includes details about the manufacturer, how updates are handled and security specifics. A centralized inventory helps facilitate communication between departments and among new hires.
  • Train employees about the special risks associated with IoT devices. Everyone needs to be as leery about USB-powered cup warmers as they are about thumb drives.
  • Actively share information across departments and vendors about security-related events that take place with smart office devices.
  • Invest in a unified endpoint management (UEM) system. Make sure you select a solution that covers IoT devices just like it does other computing categories.
  • Use strong password management tools. Institute the same stringent password requirements for IoT devices as you would networked computers. Above all, change and manage the default passwords for IoT devices that have them. Attackers know the default passwords and will search for them.

The smart office is ushering in a better work environment, but it’s important to address security gaps sooner rather than later. After all, expanding your workplace network without managing security just isn’t very smart.

Listen to the podcast series: Five Indisputable Facts about IoT Security

More from

Cloud Workload Protection Platforms: An Essential Shield

2 min read - Businesses of all sizes increasingly rely on cloud computing to power their operations. This shift has brought with it a new set of security challenges. To protect their workloads in the cloud, many of these businesses are deploying a critical tool for cloud security: cloud workload protection platforms (CWPPs).What are Cloud Workload Protection Platforms?CWPPs are comprehensive security solutions designed specifically for cloud-based environments. They provide advanced protection and threat detection capabilities to safeguard cloud workloads and guarantee the confidentiality, integrity…

2 min read

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read

Threat Sharing Evolution: How Groups Offer Less Risk and Better Intelligence to Members

16 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. In 2019, the World Economic Forum advocated for increased threat intelligence sharing by arguing that cybersecurity is a “public good.” Meaning, if organizations — both public and private — share threat information across groups, everyone has a clearer picture of the threat landscape and with it, the ability to better defend against increasingly aggressive and sophisticated threat actors. In response, multiple threat-sharing groups have sprung to life,…

16 min read

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read