Companies are finally coming around when it comes to investing in better cyber security. They are securing email and computers, subscribing to more secure software, and backing up data to the cloud. But one concerning area is often overlooked, the internet-of-things (IoT) devices used in the office environment. All of the digital bells and whistles that intend to improve both productivity and quality of life in the workplace are modern gateways to cyber criminals. When compromised, hackers may be able to gain access to your entire network. Below we have detailed the most vulnerable devices so that you can assess your business risk and take action.
Ironically, security cameras are a hot target for cyber criminals. In monitoring the sanctity of sensitive areas, they allow hackers do the same (when compromised). GDPR Report identifies Internet Protocol (IP) cameras as being the most vulnerable given that they receive control data and send image data over the internet. Nearly half of all IoT attacks are on IP cameras, and the fault unfortunately lies within the purchase decision. To hackers, cheap IP camera models are easy to find and hijack to carry out DDoS attacks. By replacing cheap models and investing in state-of-the-art security cameras that address common vulnerabilities you will mitigate this major risk.
Virtual assistants and smart speakers are supposed to make our lives easier, but when introduced into the corporate environment your voice may be carry through to the ears of a hacker. Beyond eavesdropping, cyber criminals may be able to remotely access these devices and perform all sorts of mischief. In a recent article by Digital Trends, one well-known hacker reports that when access is gained, features connected to safety devices such as locks and alarms can be compromised. Be sure to keep your router firmware up-to-date, secure your WiFi network with strong password, and use a security protocol, such as WPA2, to further protect your network and ensure IoT device compatibility. In the end, it may be better to leave Google Home and other voice assistants at home to keep your office environment safe.
A compromised HVAC system can do much more than make internal air quality uncomfortable for staff and visiting clients. If you have an on-premises server for instance, a cyber criminal can adjust temperatures to overheat your server room and shut down operations. But it can be even worse. A few years ago, retail giant TARGET was breached through their internet-connected HVAC system. Cyber criminals accessed login credentials belonging to a company that provided TARGET their HVAC services. Hackers used those credentials to gain access to the retailer’s payment systems. Secure all credentials and when using a third party provider make sure there is no connection between your IT systems and the login data they have.
Your company needs lighting to maintain operations, especially if customers are on-premises. In some cases lighting is critical, such as within health and medical facilities. A blackout can do extreme harm and hackers know this, forcing a blackout to continue until you pay a ransom. Unfortunately, in the grand scheme the cyber security protocol here lies with power generation, transmission, and distribution companies. It will be in your best interests to find out what security measures they are taking, to ensure processes are in place for vendor incident notification, and to make sure they don’t hold credentials that can be used to access your other IT systems (such as with the HVAC scenario above).
There are other IoT lighting concerns. For instance, VICE recently ran an article regarding a popular internet-connected light bulb that you may find in many office environments. A known hacker reported that when they accessed a Smart lightbulb, they removed the bulb’s main chip and then connected it to another chip which allowed them to interface with the bulb’s hardware through a USB port. Surprisingly, they found that Wi-Fi credentials were stored in plaintext in the lightbulb’s memory. Failure in manufacturing aside, this could have been prevented if Wi-Fi credentials were encrypted and security settings verified. When it comes to IoT and your network assume nothing is safe, even a lightbulb.
That seemingly harmless Smart TV in your company break room can be problematic when it’s connected to any computer in the office where data and credentials are accessible. It is not uncommon to walk into an office where a staff computer is streaming content on to a Smart TV via Google Chrome or other application. If that same computer is also used for email communications and to store documents, a hacker can sneak through. Disconnect all business-use devices from your Smart TV.
Conclusion - In 2020 and beyond you must look at every digital tool in your office as a channel for cyber criminals. Moving forward, vet all IoT devices for security and avoid purchasing those that do not allow you to change passwords. In addition, secure all IoT devices with an additional authentication factor and run them on separate networks so that they do not connect to sensitive company data and communications.