The Internet of Things (IoT) has found its way into all aspects of our lives. In particular, consumer IoT devices such as smart TVs, thermostats, smart speakers, fitness trackers and other devices are now used regularly in enterprises, either purchased by staff or brought in by employees.
This IoT insurgence represents a unique challenge since many of these devices are deployed without IT’s knowledge or not accounted for as a normal part of IT security planning, yet they have characteristics that can create serious vulnerabilities. While some IoT products are designed with strong security, many have a simple or non-existent user interface, default (or hardcoded) passwords, open hardware and software ports, limited local password protection, lack the ability to be updated, “phone home” frequently, collect more data than expected and use insecure backend services.
The consequences of using these devices range from unauthorized access to other enterprise systems, to surveillance via audio, video and data, to use of those devices to attack other connected devices or services. To help enterprise IT staff address these issues, the Internet Society’s Online Trust Alliance created this best practices checklist (ordered chronologically from installation through end of life) for use of consumer-grade IoT in enterprises.
Underpinning this list are several core concepts.
Enterprises should:
- Be proactive and fully consider the possible risks introduced by these devices
- Understand that IoT devices are likely more vulnerable than traditional IT devices
- Educate users on IoT device risks
- Strike a balance between controlling IoT devices vs creating “shadow IoT”
