As the lines between work and home environments continue to fade away, so does the separation between corporate and personal connected devices. This is exposing new cybersecurity challenges that will require a coordinated response from everyone including home workers says Greg Day, VP and CSO EMEA, Palo Alto Networks.
Non-business IoT flooding onto business networks
A growth in home and hybrid working is leading to consumer connected devices straying onto business networks in greater numbers. For two years now we’ve been tracking this trend as part of a IoT security study covering 18 countries in EMEA, APAC and the Americas.
In the 2021 study, 78% of IT decision-makers globally (among those whose organisation has IoT devices connected to its network) reported an increase in non-business IoT devices connecting to corporate networks by remote workers in the last year. In some markets like the USA, the reports are even higher with 84% saying there had been an increase.
When you examine what kind of non-business connected things are being encountered, the variety is quite striking. Globally the most common non-business connected devices reported are wearable medical monitors followed by smart lightbulbs, connected gym equipment, coffee machines, game consoles and even pet feeders are among the list of the strangest devices being spotted. Part of the reason for this is that the rise in working from home (WFH) habits is coinciding with a boom in smart home kit, as well as a range of wearables for fitness and health.
Cybersecurity flaws and threats
While a roll call of unusual IoT devices might make for amusing reading, they do present a growing security challenge for cybersecurity teams. Attackers only need one employee to have one vulnerable device that can be exploited. Many consumer IoT devices come with poor or sadly no security features. Indeed, how much can you expect an enterprise-grade level of security in a smart device that costs less than $100 (€88.59). Likewise good coding practices embraced by mature software companies are typically lower priority, and bug fixes can be slow.
Threat intelligence experts like our own Unit 42 team are reporting attacks targeting vulnerabilities in the home office kit. This included a Mirai-variant attacking security flaws across a range of home IoT devices in February 2021. The greatest worry is how a compromised non-business connected device is used to launch a more serious ransomware attack. This summer, Unit 42 revealed evidence on how ransomware gangs seemed to be investing in tools using the eCh0raix ransomware variant to target home workers with NAS devices. The motivation of these attacks may be to use an exploited home connected device as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms.
Consequently, consumer IoT devices could be a big problem for business; this is something that respondents acknowledged in our study. Globally, most IT decision-makers (81%) whose organisation has IoT devices connected to its network reported that remote work during the COVID-19 pandemic resulted in an increased risk from unsecured IoT devices on their organisation’s business network. For more than seven out of ten (78%) this increased risk had translated into an increase in the number of IoT security incidents.
Neither home working nor the rise in IoT devices is going to go away so there is increased pressure to review IoT cybersecurity. Indeed, nearly all the respondents (96% in 2021 and 95% in 2020) to our global IoT survey indicated that their organisation needs improvement in their approach to IoT security. In 2021, 25% suggested a complete overhaul would be best.
How WFH workers can help
There needs to be a three-pronged approach with beefed up IoT cybersecurity starting at home.
Organisations need to both educate and mandate their WFH staffers to raise the bar of home cybersecurity hygiene standards starting with their router. Some basic orders should include changing default security settings and then encrypt the home network by simply updating router settings to either WPA3 Personal or WPA2 Personal. WFH workers should also be charged to do an audit of what is connected and disable any devices not in regular use.
There is another step that should be taken. WFH employees should also leverage the micro-segmentation feature that is usually found in the firmware of most Wi-Fi routers. This allows users to keep separate networks, one for guests and IoT devices and one used for corporate purposes.
Network segmentation is key to good overall cyber hygiene in the enterprise and at home. According to the IoT survey, 51% of IT decision-makers (who have IoT devices connected to their organisation’s network) indicated that IoT devices are segmented on a separate network. They are separate from the one they use for primary business devices and business applications (e.g., HR system, email server, finance system). However, it is worrying that a relatively large number of global IT decision makers ( one in five) admit IoT devices are not segmented on a separate network from the one they use for primary devices and key business applications. In some markets, like the UK, the results are even worse, with one in three admitting no segmentation at all.
Finally, organisations must step away from the hub and spoke connection model, where everything goes through one security pipe and where home workers connect back into the business via VPN. In today’s diverse connected ecosystem, one size security simply doesn’t work. All too often users look for the OFF switch on their VPN to enable core business services such as conferencing. In the work anytime anyplace with everything world, edge cyber security has to adapt to being contextually aware, to allow appropriate security that is transparent to the user and optimises the experience, so they don’t feel the need to then turn it OFF.
Applying zero trust
The other strand of strengthened IoT cybersecurity lies within the enterprise itself and how rogue IoT devices are policed and prevented from connecting to the network.
Organisations should be using least-privilege access policies to stop unauthorised devices from connecting to their networks. They should only allow approved devices and users to access what is necessary. Leveraging Zero Trust is the best way to ensure that these devices won’t create data exposure or negatively impact business continuity.
For IoT security specifically, organisations need a real-time monitoring solution that continuously analyses the behaviour of network connected IoT devices. This seeks to know the unknowns, discovering the exact number of devices connected to your network, including the ones you are and are not aware of and those forgotten. The inventory of IoT assets can then leverage existing firewall investments to automatically recommend and enforce security policies. These would be based on the level of risk and the extent of untrusted behaviour detected in those devices. A point solution can extend a corporate network and bring unified security policy management and secure access service edge (SASE) to WFH employees: this is how you enable contextual aware security.
Don’t wait for a legal solution
Ultimately, the security risks of any IoT device may be mitigated by a wave of new regulations to make manufacturers and distributors build in stronger security in the first place. Yet, these laws in the EU and countries like the UK, are at only an early stage and are unlikely to have any true impact for several years. The onus for improved IoT security will lay on the shoulders of employees and their organisations.
Considering the importance of IoT devices to how we work and play, it’s time for organisations to shift the way they have traditionally responded to cybersecurity and create a culture of proactive cyber health that extends from the c-suite to all employees. This shift will enable the investment and focus on cyber hygiene practices that will help thwart cyber-attacks and reduce the potential impact of a cyber incident via an innocent business or personal connected device.
The author is Greg Day, VP and CSO EMEA, Palo Alto Networks.