Minimizing IoT and Personal Device Risks on Your Company Network

Minimizing IoT and Personal Device Risks on Your Company Network

Internet of things (IoT) and personal devices connected to your company network may be exploited by cybercriminals either searching for a way to get inside or looking for nodes to add to their malicious botnets. Fortunately, there are five practices that can be implemented fairly inexpensively which will significantly reduce the security vulnerabilities associated with these connected devices.

First, identify the IoT devices

If your organization tightly controls the allocation of IP addresses on the network, a review of those active addresses would be a good starting point in the IoT device identification process. An audit of allocated addresses could reveal both managed and unmanaged IoT devices.

While compiling the list of connected devices, remember to include:
• Security cameras and scanners
• Manufacturing systems accessed via network applications
• Network-connected lighting systems and smart bulbs
• VOIP phones managed via an external PBX switching system
• Printers
• Point of sale systems
• Inventory scanning devices
• Smart thermostats

There may be others. This list provides some examples.

Isolate the devices

Many IoT devices do not require access to the same internal network segments and resources utilized by critical components like servers, backup systems, and end-user workstations. Creating a virtual local area network, or VLAN, intended for use only by IoT devices and restricting the access privileges of devices connected to that VLAN via security policies is a good idea. Isolating IoT devices using network segmentation and security policies will significantly lessen the risk of a bad actor leveraging one of those devices to attack critical systems.

Restrict IoT Internet access

Botnets used to perpetrate distributed denial of service (DDoS) attacks or to send large volumes of spam emails are often made up of compromised IoT devices. If an IoT device cannot access the Internet, it is of no use to a botnet operator.

When IoT device access is limited to a specific VLAN as recommended above, internet access can also be denied by default to all devices on that network segment.

Network administrators may need to set up more than one VLAN for these devices, each having varying levels of access to internal and external resources. Whether this is necessary will depend on the privileges required for the devices to perform their intended functions.

Change default passwords and apply security patches

To improve the security of the IoT devices themselves, any default passwords should be reset. If possible, the devices’ operating systems and applications should be set to update automatically or be updated manually as needed.

Develop, implement, and enforce BYOD policies

While they aren’t what you might categorize as being in the IoT family, the use of personal devices like cell phones and tablets by employees to connect to company resources has increased dramatically since the transition to remote and hybrid work models. If employees are going to be permitted to access company resources using their own personal devices, BYOD policies and usage restrictions are needed.

An effective BYOD policy should, at a minimum, include:
• Information about whether and under what circumstances employees are allowed to connect to the company network using personal devices
• Requirements for personal devices to be equipped with up-to-date antivirus/malware protection and for their operating systems to be kept current
• Requirements for employees who use their devices to connect to company resources to secure them using PIN codes, biometrics, or passwords
• Restrictions against employees allowing others who aren’t authorized to do so to access company resources using those devices
• Information about whether employees are permitted to download company data to their personal devices and what, if any, data can be downloaded as well as whether and with whom that data can be shared

In return for allowing the use of personal devices to connect, employers may wish to also require that they be given remote access and wipe privileges to clear all stored data from those devices if they are lost or stolen.

Depending on regulatory requirements and other considerations, additional provisions may need to be included in your organization’s BYOD policy.

Summing up

Identifying all of the IoT devices connected to your company’s network may require some time and effort. Not all of them will be easy to identify, even if you locate the IP addresses they are using. You may find some that are no longer needed and can be eliminated.

Once you’ve found your targets and moved them to restricted access VLANs, the risks will be reduced significantly. From that point forward, ensuring that connected devices are maintained and updated as needed and that an effective BYOD policy is in place and is being enforced should make your organization a hard target for threat actors looking to leverage IoT devices.