IoT – a paradigm shift?

Whether 2018 or 2020 is the year of the Internet of Things doesn’t matter – eventually networked devices will take over the home. This will probably happen sooner rather than later, especially with the popularity of voice-controlled assistants even in Germany  where convenience has already faced down conservatism. Visitors to the CES at the end of January were left in no doubt – devices without network connectivity can only be seen as dead on arrival, along with calorie and step trackers, even hair brushes have their own IP address. Not to mention IoT toilet roll holders and a pregnancy test.

It wouldn’t be so bad if we actually had a choice which devices are connected and when. But if the most insignificant everyday devices can be reached from anywhere in the world, the risk of software vulnerabilities outweigh the convenience. The Meltdown and Spectre drama shows that even the big players are not immune to flaws in their products. And these manufacturers have a lot of resources behind them – the situation is very different for small companies producing IoT devices. There are already plenty of IoT hacks. And even if exploits like Mirai targeted companies, they still affected private devices. Many might think that a home owner’s IP camera in their garden or a rogue toothbrush that streams live images of their mouth to a hacked server is their own responsibility and has nothing to do with their employer’s IT security.

But IT departments are waking up to the fact that boundaries are becoming even more blurred between personal and professional cyber security. What if attackers use IP cameras in an employee’s home to monitor traffic on their private network, including sensitive company data which has accidentally been leaked outside the VPN tunnel? Or perhaps an employee is using a vulnerable smart phone on a company network under a bring-your-own-device scheme? Even IoT toothbrushes could potentially be exploited to take close-up photographs for tricking biometric security measures such as Face ID.

IT security managers now have to consider IT infrastructure in employee homes in their protection strategies for the corporate network. Raising employee awareness of security risks alongside technical measures is a critical part of this. Training and raising awareness is key to developing a sustainable security culture and a solid approach to cybersecurity. Company experts must ensure that users also understand that the security precautions they take in the office also apply to their home and personal devices. For example, IT security managers could advise their employees on adjusting device and app settings such as location and data access permissions to protect themselves and the company. Professionals might moan about the extra burden but the prevalence of always on devices will inevitably lead to a greater number of attack vectors and the only way out is to reassess existing security concepts to address the IoT paradigm shift.