Security for IoT in the Workplace

With the Internet of Things (IoT) in the workplace comes opportunity, and with every opportunity comes risk.

23:35 23 October 2019

In the simplest terms, the more gadgets a workplace has connected, the greater the opportunity for a potential security breach to happen; it’s like leaving more doors open and unattended. There are, however, solutions.

It’s likely that many a workplace has a growing IoT influence on-site but is unaware of this; ITC equipment is bought for the office, white goods for the lunchroom, small kitchen appliances (kettles, toasters, coffee machines, etc) for each office area, security systems for the building and sensors embedded in buildings; all uncoordinated. For solutions to increased cyber threats via IoT in the workplace, experienced IT support is necessary to manage the ever-compounding complexity.

IoT Security Management Standards

In 2018, the British government published a ‘Code of Practice for Consumer IoT Security’, which provides basic guidelines for security management of IoT on a domestic level. The code of practice was developed with the assistance of the National Cyber Security Centre (NCSC). This was followed in early 2019 by globally applicable standards for IoT security as it relates to domestic ‘things’; the standards were created by the European Telecommunications Standards Institute (ETSI). There is no need to delve too deeply into ETSI, but in a nutshell it’s a European Standards Organisation, and its standards are now used the world over. So, whilst IoT is an ongoing game of strategy for hackers and IT security companies, there is standardised support. Businesses are not alone.

Take steps to build IoT security

In consultation with qualified IT support, there are steps business can take right now to enhance their cyber security, especially in relation to IoT.

Many manufacturers of OEM devices used in IoT create their devices with default usernames and passwords; the same generic usernames and passwords used for devices across the globe. In conjunction with a qualified IT company, best practice should be implemented when purchasing and initiating the device. Part of the UK Code of Conduct requires the manufacturer to build in secure updates and to publish an end-of-life policy, and all updates to be executed with the minimum of difficulty. While these are requirements from the manufacturer, there is equally an onus on the end-user, e.g. a household or SME. Whenever an update becomes available, it’s the responsibility of the end-user to initiate that update as quickly and successfully as possible; when an update becomes available but isn’t implemented immediately, a consequent security risk develops. If there’s an update – update it! Other outcomes in the code include the need for the device to be resilient to outages and for end-users to be able to modify or delete information with ease.

Working with qualified IT support, the purchase of any new devices which are to be connected should be checked against this code to ensure they meet the guidelines. Governments can generate standards for manufacturers to meet, but in the final analysis, real security is down to the individual SME utilising the IoT.

Hidden and limited devices

Many devices are hidden from view, quite naturally, for aesthetic and workplace health and safety reasons. They could be buried in skirting or embedded in ceilings - which makes sense, they are out of the way - however, from a security point of view, there’s a potential danger. A solution to this is to create a replacement plan for all IoT devices, including the hidden ones. This may seem work intensive, but it is a security threat if not done. Equally, many products have specific and narrowly defined jobs - for example, a sensor on a door which opens and closes it as people approach or pass through. However, such devices (although programmed for basic tasks) have unused capabilities and can do more. Again, working with an IT support can mitigate these potential risks to a large degree.

Other security steps

Within the organisation, there are some basic steps that can be taken to strengthen security.

Create an Uncrackable Router Password by Using Password Managers

As the Code points out, devices can come with nonspecific usernames and passwords; the same is equally true of the company wireless network. Change the router password to something which is hard to crack as soon as the router is purchased, if it has not already been changed seek help and change it. In making this uncrackable, businesses are encouraged to use a password manager; a good password manager is able to generate secure passwords. There are two elements of a password which assist in making it secure; firstly, the password should be long, the longer the better (some people advise against making passwords too long as they are difficult to remember, but with a password manager, there’s nothing to remember).

Secondly, unconnected phrases create good passwords which are known to be difficult to crack. An example of a passphrase would be ‘Greengirlsthirdgear’; the words are unconnected but together create a difficult to crack password. So, a password manager is a very useful piece of software, but if one is not used then the baseline for all passwords would be a passphrase, they can even be specific to a department, e.g. ‘yeastlevensourrise’. 

Develop Two-Tier Authentication Process for Key Systems

The other obvious precaution to take in order to minimise risk is to develop a two-tier-authentication process for the key systems. As is evident from the name, this is a procedure whereby a password is the first step, once the password has been accepted a code is sent to the user’s phone or e-mail, this is then entered in the second stage of entry. What is then ideal is a passphrase for the first part of access, and a two-factor authentication (2FA) to be used in conjunction with this.

Get Advice from IT Experts

Any SME would be advised to use experienced IT support; it’s like using a licenced plumber or qualified driving instructor – experienced and qualified is important. When purchasing a device such as smoke alarms, door locks, TVs, etc there is value in opening the package in a counter-intuitive manner. Most people tend to rip open the box, plug in and switch on; therein lies the danger. Consider taking the time to read the instructions, understand what log-ins, usernames and passwords are required to make it work and keep it secure; read the update policy. Get to know the device before someone knows you through the device!

Manage Your Data Protection

It has been suggested that IoT data output, both domestic and commercial, is around 2.5 quintillion bytes daily. A quintillion is a 1 with 18 noughts for the North Americans and 1 followed by 30 noughts for the British; however viewed, that is a tremendous amount of data. Every business, small or large, has a responsibility to manage the IoT security threats. It begins with the basics; know the devices, plan internal IoT security, take IoT security as seriously as strategy or innovation, use smart devices where necessary and where not, use the traditional device, update as soon as the update is made available and change passwords frequently.