IoT Security Concerns - How Secure Is the Hybrid Workforce?

This post is also available in: 日本語 (Japanese)

More Connected. More Devices. More Vulnerable.

The office has moved into the home to join a crowded network shared by family members, guests and lots of smart devices. This seismic shift to a work-from-home model has intertwined home and corporate networks. Business activities, once confined to secure offices on a corporate campus, have now shifted to the home with employees accessing business-critical data of varying value and sensitivity. To that end, Palo Alto Networks has recently conducted a study — The Connected Enterprise: IoT Security Report 2021. With the rise of remote work, we have discovered that personal IoT devices, like smart lightbulbs, heart rate monitors, connected gym equipment, coffee machines and gaming consoles, are challenging organizations’ ability to protect their data and people.

According to the survey, 78% of IT decision-makers reported an increase in non-business-related IoT devices showing up on corporate networks in the last year. The presence of vulnerable, compromised devices on corporate networks is strong evidence of poor security hygiene or failed controls, particularly on the devices in the home network. The average home faces more than 100 cybersecurity threats each month. As you'll learn below, individuals and companies are at risk due to cybercriminals taking notice.

Earlier this year, a cloud-based security camera service company suffered a major security breach that left sensitive and private video surveillance footage from its customers publicly exposed, allowing perpetrators to go as far as pivoting into corporate networks of some customer accounts. This attack demonstrates how mixing corporate IT and IoT devices on the same network can allow malware to spread from vulnerable IoT devices to the corporate IT devices or vice-versa. This makes it easy for an attacker to move laterally across devices. According to Palo Alto Networks research, which examined over 135,000 security cameras in March of 2021, 54% of the examined cameras had at least one vulnerability. Such vulnerabilities make it possible for cameras to be hijacked and subsequently weaponized by cybercriminals, setting up devices as springboards to perpetrate attacks and access broader corporate networks.

A recent home router security study (referenced by Threat Post) of more than 100 consumer-grade routers (from seven large vendors) led to an alarming discovery — nearly all tested routers had unpatched and often severe security flaws, leaving those devices and their users at risk of cyberattacks. Resourceful cybercriminals have managed to gain entry into targeted WiFi networks in surprising ways: exploiting vulnerable household and office smart devices, using them to launch ransomware attacks and more.

This discovery leads to one of the toughest questions facing business leaders today: How secure is the hybrid workforce that includes a wide range of smart, unprotected, non-business-related devices?

Many organizations made rapid investments in their IT systems and infrastructure to support work from home; however, the security chasm created in the process has not been adequately addressed.

A Closer Look at the Permanent Work-from-Home Model — A New Wave of IoT Security Concerns

New, corporate-issued IoT devices go beyond laptops and smartphones. Voice-over IP (VOIP) phones, collaboration and productivity tools, such as video cameras and microphones, digital whiteboards and the like, are making their way into unmanaged home networks. These devices cannot be configured with traditional enterprise security, such as agents or virtual private networks (VPNs), and therefore do not have an adequate security posture built-in at the device level.

Even in cases when employees at home have a VPN on their laptops, that security is limited just to that device — if the laptop connects to an untrusted home’s WiFi network, it might be the target of a lateral threat movement from a connected, compromised IoT device. This can then allow an attacker to make their way into the corporate network.

Employees are also increasingly using their personal devices for work, as many companies have adopted “bring your own device” (BYOD) policies. Personal devices, such as computers, phones and tablets – unequipped with proper security – also increase the risk when used for work. In addition, highly sensitive work that was usually done on corporate campuses is now happening at home. This includes executives preparing financial regulatory filings, engineers developing IP-sensitive source code and hardware, financial and legal departments conducting high-value business and contractual transactions, customer support teams collecting sensitive customer data on support calls, and government officials working with business confidential information of firms they regulate.

When working on a corporate campus, employees could badge in and IT departments could largely implement a uniform level of security for devices on that network. That is no longer always the case. Personal IoT devices, such as digital smart voice assistants, may constantly be in listening mode in untrusted home WiFi environments. Hackers can also use IoT devices to spy and eavesdrop on a company's business-critical and sensitive conversations at home.

In summary, three main challenges are creating a perfect storm of IoT security concerns arising from work at home:

  • Unmanaged Security Posture:

ChallengeHome networks are inherently insecure with a variety of IoT devices on the network that cannot be secured by security software and policies.

ImpactDifficulty in keeping up with threats infiltrating the enterprise through the home network.

  • Lack of Network Segmentation:

Challenge Breaching the home network allows hackers to establish a foothold to move laterally across the home network and potentially into the enterprise.

ImpactExposes corporate devices to hackers, giving them the means to compromise networks and access credentials, resources and data.

  • Lack of Network Visibility:

ChallengeCompliance and security operations (SOC)/incident response (IR) teams lose significant visibility into activity related to work devices.

ImpactIneffective incident response due to lack of network audit logs.

These challenges lead to increased risk of targeted attack campaigns, putting sensitive company data and applications at risk. Navigating this new work model requires embracing an innovative security approach. An approach that elevates security from a device level to a network level. Security should be a strategic imperative for an enterprise, no matter where their employees are working from.

Securing Work-from-Home Starts at Home

This is what inspired the development of Okyo Garde™, designed with these evolving challenges in mind. Okyo Garde delivers enterprise-grade security with consumer simplicity, securing the home network in ways that today’s world demands. It’s one solution that helps protect all devices on your network, whether you’re an employee working from home, a small business owner at your location or someone looking to protect your family.

Okyo Garde delivers security that’s prevention-focused, architecturally robust and built on the principles of Zero Trust to secure employees’ home networks:

  • Device Discovery and Segmentation of Home Networks: Identify and classify all devices in the home with visibility into type [e.g., home automation, audio/video equipment, Network Attached Storage (NAS), laptops, gaming, health devices, printers], make and model. Okyo Garde isolates corporate devices from personal devices, securing all devices in the home, including IoT. Okyo Garde also ensures secure communications between authorized devices, limiting lateral movement.
  • Enforce Data-Driven Security Controls: Stop malware downloads, detect infected devices and block communication between infected devices and attackers. Block access to known phishing and malicious source servers and URLs by leveraging cloud-delivered threat intelligence by Palo Alto Networks.
  • Extend Zero-Trust Security In the Home: Your security strategy should align with the principles of Zero Trust to enforce policies for least-privileged access control to stop unauthorized devices from connecting to your corporate networks. Extend the trusted enterprise segment into the home to deliver a secure campus-like experience for work-from-home employees.

What does it take to provide access and security for modern organizations, especially when the home has become the new security frontier?

Find out at Ignite ‘21 (November 15th-18th), where you can learn from cybersecurity experts from around the world on ways to help cybersecurity teams stay prepared for what’s next. Join us for the session Okyo Garde: Securing the Enterprise by Securing Work-from-Home where Mike Jacobsen, VP Product Management for Okyo shares how Okyo Garde delivers enterprise-grade security to the home to protect employees and enterprises as employees work from home.