IoT: Great Holiday Gift or Network Security Nightmare?
While the best part of the holidays is spending time with family and friends, giving or receiving a new smart device can often be the icing on the cake for people of all ages. A recent Consumer Technology Association study noted that technology sales are expected to hit $142.5 billion this holiday season – a record high from the last few years.
However, with the pandemic creating a distributed workforce where employees log onto corporate networks at home, these fun holiday gifts may be the next big network security risk – for both employees’ personal lives and corporate networks.
Companies need to better prepare for security vulnerabilities associated with the holiday season, while more broadly achieving a better understanding of how personal and corporate networks are blending in the modern work environment. To prepare, employees need to be educated on the risks smart devices bring to their home networks and IT/security leaders need to bolster their systems to ensure they remain secure while employees work from home.
Understand the IoT security risks for remote workers
Network risks are evolving. Over the last two years alone, more people have set up multiple devices that connect to a single home network, including corporate-issued computers and tablets. With so many devices already in play, and more to come as gifts this holiday season, the attack surface has grown exponentially.
The problem with connected tech holiday gifts
Some of the most popular technology gifts come equipped with Bluetooth and Wi-Fi, cameras, and geo-mapping. A popular gift, Tile-like tracking devices meant to help consumers find everyday items that are easily lost, has created conversation and speculation within the security industry over the years. But the threat has heightened, as an Apple integration now allows these types of devices – including Apple’s own AirTag – to be added and tracked on its “Find Me” feature. If compromised, an outside party could begin tracking the user’s location without their permission and monitor living patterns to exploit the information and lure them into a phishing attack or other breach.
Additionally, through a partnership with Amazon, Tile can now integrate with Alexa and other Amazon devices to detect if a Tile is nearby. With this feature, malicious actors could find any Tile in the area, hack into its GPS functionality, track its location, and notify the Tile network of its name, location, etc. within a certain radius – opening home devices to potential exploitation.
The same threats lie within additional ‘smart’ gifts. Robot vacuums, regardless of the brand, are connected to home networks and also connect to the internet – and integrate with other home automation products. This extension of connectivity creates a complex system that is more prone to attacks because it has greater potential for flaws and vulnerabilities. When you integrate a camera onto these devices, the risks only grow. Threat actors could easily monitor users’ movements to understand daily patterns and even craft a blueprint of their home.
How to solve for these vulnerabilities at home
With so many new gadgets and technology gifts on the market, many main players in this space are not doing their diligence to ensure the proper security precautions are in place – especially since it’s an unregulated industry and manufacturing companies often prioritize development over security to meet increasing demands. As you install more IoT devices and get new gadgets for the holidays, consider putting these devices on a guest network. This will separate your at-home devices from your corporate computer and technology, limiting the potential attack surface that malicious actors can exploit.
If an attack does arise, using a guest network makes it easier to track and pinpoint the exact location of the breach, while limiting the potential threat to your corporate or home network. It’s also a best practice to pick one home automation kit and standardize it across all the technology in your house so all items will seamlessly integrate into that one system.
Understand and prevent corporate network vulnerabilities
The transition to remote work, spurred by the pandemic, brought all corporate devices into employees’ homes and opened up a can of worms for potential vulnerabilities – home office networks are said to be 3.5 times more likely to be attacked than corporate networks. Further, there is currently a misconception about which systems and software can securely switch between corporate and at home networks, meaning employees have potentially opened their corporate networks to security risks dating back to when they initially took their office gear home in Spring 2020. Knowing this, how can IT and security teams prepare for the holiday gift season, where even more tech will be added to the mix?
Audit your security tools early on
To better understand, assess, and manage how employees are accessing company networks during the holidays and to work from home, companies should set up regular tests of their systems. Having a security testing program set in place – prior to the holidays – can help to identify any vulnerabilities within the corporate network quickly and efficiently. It can also open IT and security teams’ eyes to which devices are vulnerable when used at home on personal networks. It’s important for companies to understand where vulnerabilities lie and make sure their systems and devices are secure year-round, but even more so during the holidays when the majority of staff is working remotely or taking time off.
NetSPI is the leader in network penetration testing – work with our experts!
Educate!
Often, security breaches are caused by a general lack of awareness within employee bases. Corporations should develop mandatory training programs that bring potential vulnerabilities to light, and teach their workforce how to monitor, prevent and report potential dangers. Training programs should include a specific lesson on the dangers of smart devices and working on home networks – consider timing this specific training in late-November, early-December, before the holiday season kicks off.
The holidays should be a time where all employees can recharge and spend time with family, without worrying about work. The onus is on enterprises to prepare their workforce for potential IT threats, while also taking proactive measures to prevent potential vulnerabilities in their network. Smart tech gifts aren’t going away, but with proper protocols in place, IT teams, company leadership, and the broader employee network can all enjoy time off without the risk of a breach.
Explore more blog posts
Clarifying CAASM vs EASM and Related Security Solutions
Unscramble common cybersecurity acronyms with our guide to CAASM vs EASM and more to enhance attack surface visibility and risk prioritization.
Filling up the DagBag: Privilege Escalation in Google Cloud Composer
Learn how attackers can escalate privileges in Cloud Composer by exploiting the dedicated Cloud Storage Bucket and the risks of default configurations.
Bytes, Books, and Blockbusters: The NetSPI Agents’ Top Cybersecurity Fiction Picks
Craving a cybersecurity movie marathon? Get recommendations from The NetSPI Agents on their favorite media to get inspired for ethical hacking.