The Internet of Things is still in its beginnings, but as devices become increasingly networked, the security implications are starting to cause headaches for businesses. Unlike consumers, companies “getting hacked” translates much more immediately into reputational damage, lost revenue, or even compensation claims.
The biggest risk to a company’s online security comes from the employees, says Jack Warner, cybersecurity expert at TechWarn. Poorly trained staff or a lack of clear IT policies encourages reckless behaviour and careless handling of sensitive data. Employees might not be aware of a device’s features and risks, or have the security averse mindset to notice potentially damaging leaks.
More than ever before it is important for corporations to have all office equipment reviewed by a security-conscious team of engineers. There must be clear policies in place for what data is allowed to be collected by devices, and rules to which the data must adhere. This policy must apply equally to data collected by devices owned and deployed by the company, as well as owned by employees.
Case study: Fitness app data
In November 2017, the fitness app Strava released data collected by its users. Even though the data was already anonymised, it still created large attention as analysts discovered the data revealed the location of secret military bases, as soldiers would wear their fitness IoT devices while jogging around the base, going on patrol, or working out.
The workout routes outlined the size and location of bases, gave an estimation of how many soldiers are stationed there, and even what the rough patrol frequency could be. The Strava data leak represents a massive security risk for the operation of U.S. forces and is entirely self-inflicted.
Information like this can easily harm a commercial organisation as well. Testing locations, scouting locations, or delivery routines may well be the well-guarded intellectual property of an organisation.
There are plenty of other IoT devices that employees might casually use that reveal sensitive data. Staff phones might record their location as well as be used to take pictures. Employees might inadvertently share their location through social media, or use a smart scanner app on their phone to convert sensitive data to pdf. Passwords might be pasted into the draft folder of personal email accounts, or customer information might land in an employee’s personal contact list, from where it gets uploaded to various apps.
Networked devices in offices
When information security is not put into consideration from the very start, the typical office might be already full of devices that do not respect privacy and create security leaks. For example, a printer may retain printed documents for a long time (or even upload them online) and air purifiers may make collected data available to a central server.
Even systems like thermostats, lamps, or door locks often come with network capabilities and might share their data with advertisers or at least a central cloud service. At a minimum, this opens to opportunities for intruders or competitors to get access to company secrets.
Company networks and intranets
While we have become more sensitive to publicly facing information, internal databases and networks of organisations are still too often seen as “safe.” It is often here that hackers have free rein and, once inside the network, can leverage their privileged position to connect to databases, infect computers with viruses or sabotage critical equipment.
Routers are among the most neglected equipment in office networks. While the devices of employees receive regular automatic updates, and servers are of high concern, routers are rarely inspected and don’t receive updates. Yet all company traffic will pass through them, and anybody in control of the router can intercept, malform, inject or alter any data sent to the internet and other internal devices.
A good VPN router is not hard to come by, but price differences between models can be immense and their benefit not obvious to the buyer and operator.
Reliance on third-party hosting providers
The biggest threat to an organisation’s privacy needs has become the widespread use of hosted services including email, chat, and file management.
While a few years ago it would have still been relatively common for at least large organisations to manage their own email servers and store documents on internal servers, today it’s almost exclusively third-party cloud providers. Emails, chats, documents, software code—there is almost nothing left inside of the offices of many companies.
An everlasting struggle
The way internet services and Internet of Things devices are developing is very much contrary to the privacy and security needs of corporations. So far there is little pushback or demand for more security conscious services.
The most sustainable strategy for corporates may be to limit the amount of information they collect from their customers, and host this information along with their intellectual property, on self-maintained physical infrastructure in-house.
The author of this blog is Jack Warner, cybersecurity expert at TechWarn
About the author
Jack is an accomplished cybersecurity expert with years of experience under his belt at TechWarn, a trusted digital agency to world-class cybersecurity companies. A passionate digital safety advocate himself, Jack frequently contributes to tech blogs and digital media sharing expert insights on topics such as whistleblowing and cybersecurity tools.