IoT devices can make work more fun and productive, but they also pose a security risk. It's time for HR, IT, and other departments to come together and create guidelines for using these products.
TechRepublic's Dan Patterson spoke with Steve Ranger, UK editor-in-chief, TechRepublic and ZDNet, about balancing the benefits and the security risks of having connected devices all over the office.
Patterson: Smart office devices can make work a heck of a lot easier to manage but they can also be a security nightmare ... Steve, what are the security risks of having a smart office device sitting next to you listening to everything you do?
Ranger: Well Dan, yeah. That kind of sums up a little bit of the problem. We've had a lot of smart devices in the home, so smart speakers, webcams, and kind of pretty much anything that you could connect to the internet and put some kind of processor inside. We've had those for quite a long time. What's happening now is those devices are kind of migrating into the office, so all the worries we had with security at home, privacy at home, are moving into the office as well. But part of the problem is that it's kind of like a bring your own device to the internet of things. You might bring in a smart speaker or you might bring in like a little weather station and have it on your desk because you think that's kind of cool but actually that's something with a microphone in. It might have a camera in it. It might be recording all sorts of data, and it's quite possible that the people running your office have no idea that you've done this so that's just one of the ways that we have a security problem here.
The other risks are that we bring these things in increasingly from a corporate point of view so that business are actually buying these devices themselves to make stuff more efficient or more effective. Again, we have to look at the security that these things, whether staff know they might be being recorded in some way, whether the HR policies are in place for that kind of thing. Then at kind of the mega level you have smart buildings, smart cities. Again, these things are being built now but often the security is one of the last things we think about because we're thinking too much about the advantages and less about the risks.
SEE: Internet of Things policy (Tech Pro Research)
Patterson: Yeah. I like the spectrum of scale there. That goes to everything from your or my desk, where there are likely smart speakers for individual use, all the way up to the corporate level where I'm glad you raised the idea of there needs to be HR and there needs to be policy created around smart devices in the office. Then at large scale in smart cities that, of course, leaves cities open to hacking. Steve, what are the hacking vulnerabilities here? Would an attacker have to access say Amazon, or Google, or Facebook, or Microsoft's servers or are there other vulnerabilities involved with hacking a smart office device?
Ranger: It really depends because there are lots of different technologies at play here. If you look at some of these consumer devices that people might bring into the office, a lot of these are very secure and very well-designed but there are also the ones out there that have no security whatsoever or are incredibly easy to circumvent security. Just as those are a risk in the home, those are a risk in the office and it could well be that your IT people don't even know that you've got it on your desk so the fact that it has no security on it or that someone can break into it really easily can turn this into a spying device straight on your desk.
Looking at the bigger kind of issues like smart building systems, those have actually been around for quite some time. A lot of those have been configured badly or just installed badly. You might think, "Well who cares if someone could access my door controls?" Well then you think, "Well, what if all the doors are locked in my building every day? I can't get in. What if I'm a retailer, and the shutters come down in my retail stores? No one can do any work." So there are different levels of security.
One of the problems is, certainly with internet of things devices, is that there's a kind of a lack of policy. The IT people in the organization think it's a form of HR. HR think it gets down to all the people that run the office like the facilities people. Facilities don't have much of a clue about the technical intricacies of these devices. So all these groups actually have to come together and say, "All right, we're going to have a policy. We're going to have some sort of understanding of what the risks here are. What the HR risk is. What the technical risk is. What the risk to the building is." Too often that doesn't happen, so that you really need to have policy and for all of these different groups involved to come together and think about what the potential risks are here.
Patterson: Yeah. Balancing risk versus reward is just a reality of doing business and part of every company's digital transformation these days. Steve, where can people go to learn more about managing security along with the additional benefits of IoT in the office?
Ranger: Sure. I mean, we have a whole load of content on the internet of things, all sorts of data. It is important to point out that there is a huge amount of benefit from these products. We shouldn't just think about the risk because they can make you more efficient. They can make the office more fun. They can make just the productivity levels can go up, the efficiencies levels can go up if we have these devices that just kind of like take away a little bit of the office friction that can make us grumpy and kind of just like make life harder. There is a really good reason to bring these things into the office. We just need to think a little bit more carefully about it before we switch those devices on.
- What is the IoT? Everything you need to know about the Internet of Things right now (ZDNet)
- Securing the IoT: A question of checks and balances (ZDNet)
- IoT security: What you should know, what you can do (free PDF) (TechRepublic)
- 97% of risk pros say IoT cyberattack would be 'catastrophic' for their business (TechRepublic)
- As IoT attacks increase 600% in one year, businesses need to up their security (TechRepublic)
- IoT security spending to hit $1.5B in 2018 as targeted cyberattacks grow rampant (TechRepublic)
- IT leader's guide to cyberattack recovery (Tech Pro Research)