All the pricey firewalls and data loss prevention packages can’t stop end users from, well, being end users. As the Internet of Things (IoT) adoption increases in enterprises, it also adds more endpoints that can open up an organization to a security breach. Add in end users who haven’t been properly briefed on security, and the result can be a gaping hole in security strategy. Since threats rapidly evolve and change, experts advise regularly checking in with end users.

Unwitting end users can bring down the organization without even realizing it. According to Mike Baker, founder and managing partner of Mosaic451, employees are the biggest risk to security. Most of the largest data breaches, phishing scams, and ransomware issues stem from hackers successfully exploiting end users to gain access to systems, he said.

“The proliferation of mobile devices like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked.” Employees need training on information security practices, and this training needs to be ongoing, he added.

Set expectations for employees and train accordingly

From day one, organizations need to set expectations for employees regarding IoT security, said Kevin Lancaster, CEO of ID Agent. In addition, this needs to be a framework that employees can relate to and understand.

“Widely available, generic, one-size-fits-all security awareness training is woefully missing the mark,” Lancaster said. Employees will often rush through training modules peppered with multiple choice questions. What they really need is to be able to relate the training to their specific roles in the organization, using specific examples.

“By implementing customized, position-specific, and regular security awareness training, everyone on the team can help ensure that the business stays safe and avoids the painful and expensive consequences of a security breach,” Lancaster said.

For example, something as innocuous as a home garage door opener could leave an organization vulnerable. If the opener uses a web-based platform for opening the garage door when the car nears the house, and the alerts are sent to a work email account, and the password has the same root as the network password, the employee has just opened a hole for hackers to exploit, Lancaster explained.

Security awareness and training policy

Building security awareness and conducting subjective security training are critical for any business, regardless of size. Security awareness ensures that users are familiar with potential threat mechanisms, while training teaches them how to prevent or respond to those threats. This policy will help you guide employees toward understanding and adhering to best security practices that are relevant to their job responsibilities. Free for Tech Pro Research subscribers.

Emphasize the importance of passwords

Creating a strong password seems obvious to an information security professional, but an end user’s definition of “strong” may be different. They may also want to pick passwords that are easy to remember, so they don’t have to ask for a reset. This can open up an organization to hackers for breaches and attacks.

“Companies striving to strengthen their security policies should encourage employees to use better password practices,” said Destiny Bertucci, head geek at SolarWinds. She suggested using password generators and vaults to create the passwords themselves and store them so that end users can access their passwords if they forget them.

Stay on top of new security risks

Making users aware of risks is only a first step in end user education, said Geoff Webb, vice president of strategy at Micro Focus. “Bringing devices into the workplace that are poorly secured is going to continue to grow as an area of risk, and attackers are going to be looking more and more at this as a way to backdoor in past traditional security controls.” And the line between personal and business devices continues to blur.

IT departments need to probe into the devices being introduced by users, asking what types are being used and how they are configured, Webb said. It’s also important to ensure that users know where to go for more information and configuration help to keep devices safe and secure.

New stakeholders may need to be brought into the fold as well, Webb said. For example, building management may want to switch to smart light bulbs to save power and improve control. However, this could pose a risk to the organization if it’s not configured properly or vetted by the security team.

Above all, end users need to understand the personal aspect and how IoT security lines blur when personal devices are also part of corporate life. “After all, if a user brings a compromised device into the network, they will not only be opening up an avenue for hackers to steal corporate data, but also quite possibly their own personal information from home too. The blurring of the line between home and work affects everyone in both directions–and now business risk becomes part of our own, daily lives,” Webb said.

For IT professionals, that means laying out the risks, keeping in touch with end users, and emphasizing the importance of proper security measures. IoT is only becoming more prevalent, and end users may be one of the best defenses against breaches.