IoT Workplace Policy

The IoT is the growing network of connected devices. There’s a lot of concern about Internet of Things security – or lack of security – today.

Internet of Things devices include smart phones, coffee makers, programmable thermostats, smart TVs, and medical and other wearable devices. Devices are embedded with sensors that allow data to be collected. They’re linked to the Internet so data can be accessed, uploaded, and further processed.

In a recent forecast, Gartner Inc. estimated that this year 6.4 billion connected ‘things’ would be in use around the world by consumers and enterprises. This is an increase of 30% compared to 2015. By 2018, the number is forecast to reach 11.4 billion.

Gartner also predicted that by 2020 more than 25% of identified attacks in enterprises will involve IoT.

Unfortunately, many IoT devices lack common security measures, which means cyber criminals can hack into devices resulting in data breaches and other crimes.

While breached wearable devices and cars seem to get the most headlines, there have been reported attacks against point-of-sale systems, ATMs, home routers, and industrial industries too.

As more connected devices generate big data, users should be concerned about securing that data against hackers.

What do organizations need to know about the Internet of Things and security?

  • Security Policy: It’s important to have a security policy for IoT device-use in the workplace. Security and risk should always be assessed before purchasing smart devices.

  • Choice: Don’t purchase smart devices that are not protected or don’t comply to your security policy. Encourage IoT device manufacturers and service providers to implement security safeguards in their products.

  • Safeguards: Carefully review security and privacy options of devices. There should be two-step identification, firewalls, and anti-malware features. Create unique passwords and usernames. Check the manufacturer’s website for updates that address security vulnerabilities. (Avoid devices that don’t have effective security patching.)

  • Exfiltration: Understand the data ‘exfiltration’ (transfer of data) policy of the device. Find out what data is being exfiltrated to determine risks to your business.

  • Network protection: Use network monitoring and segmentation in workplaces to protect confidential information. Network segmentation is splitting a computer network into sub-networks to minimize access to sensitive information.

  • Remote access: Disable or block remote access, and only enable it when necessary, advised a Computer Weekly article. “If remote access to smart devices is enabled by default, it may be the device is ready to welcome any attack.”

  • Protected workplace: Have a comprehensive internal document management policy. Keep only confidential information that is needed for compliance purposes and business. Securely destroy information that is no longer needed. Partner with a trusted document destruction company that has a secure chain of custody and on- or off-site destruction services for paper documents and hard drives.

  • BYOD Policy: Having embraced a bring-your-own-device [BYOD] strategy, organisations must now get employee devices on the enterprise network and start addressing the IoT devices that we project will want access.

  • Secure all devices: Whether a video surveillance camera for a parking lot, a motion detector in a conference room or the HVAC for the entire building, the ability to identify, secure and isolate all IoT devices must be there.

  • Network access policy: After identifying all the devices attached to an enterprise network, IT departments will need to modify, or in many cases create from scratch, a network access policy as part of an enterprise policy enforcement strategy, determining if and how ‘things’ should be connected, and what roles they will be assigned that govern their access to the network.

  • Monitor device performance: Gartner advised that IT leaders would need to define connectivity policies, deploy packet sniffers to identify devices that might be performing undesirable actions, and in the case of IoT devices that use mobile radio standards such as Bluetooth or Zigbee, effectively plan for spectrum use.

  • Prioritization: Virtual network segments to allow network architects to separate out their IoT assets from other network traffic, and prioritise different segments according to their needs. For example, this could mean giving video surveillance data priority over lighting outside of office hours.

  • Privacy policy: With the advent of IoT many organizations are collecting sensor based data to optimize the workplace, sensor based tracking data for employees to reach their goals.  The value in sensor data in the workplace will be in finding ways to both boost employees’ productivity and increase employee satisfaction by ensuring employees have the support needed to do their jobs successfully. As tantalising as these benefits are, companies must safeguard their employees’ privacy and secure their networks against hackers targeting these connected devices.

Information security isn’t always this complicated. A clean desk policy is one of the simplest most effective ways to protect confidential information in the workplace.