Getting on top of the home worker IoT security challenge

Greg Day of Palo Alto Networks

As the lines between work and home environments continue to fade away, so does the separation between corporate and personal connected devices. This is exposing new cybersecurity challenges that will require a coordinated response from everyone including home workers says Greg Day, VP and CSO EMEA, Palo Alto Networks.

Non-business IoT flooding onto business networks

A growth in home and hybrid working is leading to consumer connected devices straying onto business networks in greater numbers. For two years now we’ve been tracking this trend as part of a IoT security study covering 18 countries in EMEA, APAC and the Americas.

In the 2021 study, 78% of IT decision-makers globally (among those whose organisation has IoT devices connected to its network) reported an increase in non-business IoT devices connecting to corporate networks by remote workers in the last year. In some markets like the USA, the reports are even higher with 84% saying there had been an increase.

When you examine what kind of non-business connected things are being encountered, the variety is quite striking. Globally the most common non-business connected devices reported are wearable medical monitors followed by smart lightbulbs, connected gym equipment, coffee machines, game consoles and even pet feeders are among the list of the strangest devices being spotted. Part of the reason for this is that the rise in working from home (WFH) habits is coinciding with a boom in smart home kit, as well as a range of wearables for fitness and health.

Cybersecurity flaws and threats

While a roll call of unusual IoT devices might make for amusing reading, they do present a growing security challenge for cybersecurity teams. Attackers only need one employee to have one vulnerable device that can be exploited. Many consumer IoT devices come with poor or sadly no security features. Indeed, how much can you expect an enterprise-grade level of security in a smart device that costs less than $100 (€88.59). Likewise good coding practices embraced by mature software companies are typically lower priority, and bug fixes can be slow.

Threat intelligence experts like our own Unit 42 team are reporting attacks targeting vulnerabilities in the home office kit. This included a Mirai-variant attacking security flaws across a range of home IoT devices in February 2021. The greatest worry is how a compromised non-business connected device is used to launch a more serious ransomware attack. This summer, Unit 42 revealed evidence on how ransomware gangs seemed to be investing in tools using the eCh0raix ransomware variant to target home workers with NAS devices. The motivation of these attacks may be to use an exploited home connected device as a stepping stone in supply chain attacks on large enterprises that can generate huge ransoms.

Consequently, consumer IoT devices could be a big problem for business; this is something that respondents acknowledged in our study. Globally, most IT decision-makers (81%) whose organisation has IoT devices connected to its network reported that remote work during the COVID-19 pandemic resulted in an increased risk from unsecured IoT devices on their organisation’s business network. For more than seven out of ten (78%) this increased risk had translated into an increase in the number of IoT security incidents.

Neither home working nor the rise in IoT devices is going to go away so there is increased pressure to review IoT cybersecurity. Indeed, nearly all the respondents (96% in 2021 and 95% in 2020) to our global IoT survey indicated that their organisation needs improvement in their approach to IoT security. In 2021, 25% suggested a complete overhaul would be best.

How WFH workers can help

There needs to be a three-pronged approach with beefed up IoT cybersecurity starting at home.

Organisations need to both educate and mandate their WFH staffers to raise the bar of home cybersecurity hygiene standards starting with their router. Some basic orders should include changing default security settings and then encrypt the home network by simply updating router settings to either WPA3 Personal or WPA2 Personal. WFH workers should also be charged to do an audit of what is connected and disable any devices not in regular use.

There is another step that should be taken. WFH employees should also leverage the micro-segmentation feature that is usually found in the firmware of most Wi-Fi routers. This allows users to keep separate networks, one for guests and IoT devices and one used for corporate purposes.

Network segmentation is key to good overall cyber hygiene in the enterprise and at home. According to the IoT survey, 51% of IT decision-makers (who have IoT devices connected to their organisation’s network) indicated that IoT devices are segmented on a separate network. They are separate from the one they use for primary business devices and business applications (e.g., HR system, email server, finance system). However, it is worrying that a relatively large number of global IT decision makers ( one in five) admit IoT devices are not segmented on a separate network from the one they use for primary devices and key business applications. In some markets, like the UK, the results are even worse, with one in three admitting no segmentation at all.

Finally, organisations must step away from the hub and spoke connection model, where everything goes through one security pipe and where home workers connect back into the business via VPN. In today’s diverse connected ecosystem, one size security simply doesn’t work. All too often users look for the OFF switch on their VPN to enable core business services such as conferencing. In the work anytime anyplace with everything world, edge cyber security has to adapt to being contextually aware, to allow appropriate security that is transparent to the user and optimises the experience, so they don’t feel the need to then turn it OFF.

Applying zero trust

The other strand of strengthened IoT cybersecurity lies within the enterprise itself and how rogue IoT devices are policed and prevented from connecting to the network.

Organisations should be using least-privilege access policies to stop unauthorised devices from connecting to their networks. They should only allow approved devices and users to access what is necessary. Leveraging Zero Trust is the best way to ensure that these devices won’t create data exposure or negatively impact business continuity.

For IoT security specifically, organisations need a real-time monitoring solution that continuously analyses the behaviour of network connected IoT devices. This seeks to know the unknowns, discovering the exact number of devices connected to your network, including the ones you are and are not aware of and those forgotten. The inventory of IoT assets can then leverage existing firewall investments to automatically recommend and enforce security policies. These would be based on the level of risk and the extent of untrusted behaviour detected in those devices. A point solution can extend a corporate network and bring unified security policy management and secure access service edge (SASE) to WFH employees: this is how you enable contextual aware security.

Don’t wait for a legal solution

Ultimately, the security risks of any IoT device may be mitigated by a wave of new regulations to make manufacturers and distributors build in stronger security in the first place. Yet, these laws in the EU and countries like the UK, are at only an early stage and are unlikely to have any true impact for several years. The onus for improved IoT security will lay on the shoulders of employees and their organisations.

Considering the importance of IoT devices to how we work and play, it’s time for organisations to shift the way they have traditionally responded to cybersecurity and create a culture of proactive cyber health that extends from the c-suite to all employees. This shift will enable the investment and focus on cyber hygiene practices that will help thwart cyber-attacks and reduce the potential impact of a cyber incident via an innocent business or personal connected device.

The author is Greg Day, VP and CSO EMEA, Palo Alto Networks.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Aeris to acquire IoT business from Ericsson

Posted on: December 8, 2022

Ericsson and Aeris Communications, a provider of Internet of Things (IoT) solutions based in San Jose, California, have signed an agreement for the transfer of Ericsson’s IoT Accelerator and Connected Vehicle Cloud businesses.

Read more

Telenor IoT passes milestone of 20mn SIM cards

Posted on: December 8, 2022

Telenor, the global IoT provider and telecom operator, has experienced rapid growth over the last years and ranks among the top 3 IoT operators in Europe and among the top IoT operators in the world. The positive development is due to an accelerated pace of new customers combined with a successful growth of existing customers’

Read more
FEATURED IoT STORIES

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more