Managing hidden risks in your office

Does the fridge in your office really need to communicate with you over the internet?

Whether you are working from home or working in an office, there may be internet-enabled devices around you that you’ve not considered in your cyber security risk assessment. The number of devices that are (or could be) connected to the internet continues to grow—and sometimes things are internet-enabled that may be surprising.

Apart from the obviously internet-enabled things in your office—your smartphone, your tablet or laptop—what other devices could there be?

The Internet of Things (or IoT) refers to a network of physical objects that contain:

  • sensors that can monitor temperature, movement, or other change in their environment
  • actuators that respond to the signals from the sensors
  • network connectivity so they can communicate over a network with a controlling system.

These IoT objects might be part of the same system (such as utilities controls systems) or unrelated to each other (perhaps a fitness tracker and a smart doorbell).

Most of these IoT devices are easily recognized, having been deliberately installed by management as part of the day-to-day operations of your business. Many industry sectors use IoT devices routinely in operations (healthcare, agriculture, waste and water management, logistics, fleet management…), but there are at least two groups of IoT devices that might be in your office without being noticed.

  1. Devices installed by the landlord of your premises. Is the thermostat programmable remotely and managed by an app—or the dishwasher? Maybe the vending machines, the coffee maker, the access control system or the smart speakerphone and digital whiteboard in the shared meeting rooms.
  2. Personal devices brought in by your employees, such as the fitness tracker they are wearing on their wrist, or the smart speakers they’ve set up by their desk—even their pacemaker.

Then there are the extra devices that you might have installed to enhance life in the office: a smart TV to keep visitors entertained while they wait, or a water cooler. At home, you might have a robot vacuum or lawn mower, a Ring doorbell, a baby monitor, internet-enabled toys, a smart assistant or… the list gets longer all the time.

These devices are all intended to make our lives easier, but they do come with cyber security risk. 

  • The software in IoT devices is unlikely to be regularly updated, even if that were possible. This means that it may become increasingly vulnerable to attack.
  • An IoT device could be hacked into, giving the hacker access to your network and therefore (potentially) to sensitive data or to your IP, or giving them the ability to take down your business operations by changing the settings. Any smart device could serve as an entry point to the network.
  • Some of the data collected by IoT devices is stored online—and the data has, in some cases, been shared with other people for malicious or criminal purposes.
  • The IoT devices may give rise to compliance issues as data protection and privacy regulations emerge.

Reducing the risk

While it’s not easy, there are things you can do to reduce the risk from your IoT devices:

  • Identify all IoT devices in use.
  • If you can, change the default login and password on any IoT device installed on your network
  • Segment your network and ensure that devices can only communicate with other devices in the same segment—shield your sensitive information by storing it in its own area.
  • Don’t connect IoT objects that don’t need connectivity. That fridge… do you actually use the connectivity?
  • If possible, restrict the software and computing power on each device to only what is necessary.
  • Think about your policy around employees (and visitors) personal IoT devices.
  • Apply software updates wherever and whenever possible.

For advice and help in putting policies and technical measures in place to help protect your organisation, please call us on 0113 733 6230, or use our contact form.