An assortment of smart gadgets has dominated the holiday gift-giving season. Some of the most popular are smartphones, smart speakers, smart TVs, and wearables. And while these gizmos bring joy to their recipients, employees will return to work in the new year with their new devices in tow, causing potential liabilities for businesses.
IoT devices have added a layer of complication to bring-your-own-device (BYOD) policies and introduced a new breed of security risk into organizations. Employees have long felt free to conduct business using their personal mobile devices and increasingly don’t think twice about putting a smart speaker in their office or hooking their smartwatch into the company Wi-Fi.
However, despite widespread publicity regarding the security risks posed by unregulated BYOD devices, many companies still aren’t paying attention. In fact, according to a recent GetApp small business survey, 58 percent of respondents said that their company does not have a BYOD policy governing whether employees can access company data with personal devices.
In this article, we’ll consider the vulnerabilities that the 2018 holiday season’s most popular smart devices pose to small and midsize businesses (SMBs). We’ll also offer ways you can develop a BYOD policy and mitigate the risks of IoT devices.
Risky gadget gift #1: Smart speaker
Examples: Amazon Echo, Google Home
Also known as digital assistants, smart speakers are everywhere. A battle for dominance is underway between Apple’s Siri, Amazon’s Alexa, Microsoft’s Cortana, and Google’s nameless assistant. According to a recent survey, smart speakers were one of this year’s top three most wanted tech gifts.
In addition to playing music and telling you the weather, smart speakers include productivity tools that allow you to make calendar appointments or create to-do lists. They also support numerous third-party apps that integrate thousands of other skills.
What are the risks?
Privacy is the top concern for smart speakers. When active, smart speakers record everything spoken in their presence, which can be problematic in a business environment. Smart speakers have been known to misinterpret commands and inexplicably send voice files to inappropriate recipients.
Further illustrating how smart speakers can be manipulated, In 2017, Burger King created a series of television ads that intentionally and successfully triggered Google Home devices
This could be a nightmare for a business where people feel free to discuss proprietary information. With the Amazon Echo Dot available starting at $29.99, smart speakers are becoming ubiquitous, meaning that businesses need to develop risk mitigation plans now.
Smart speakers typically include a mute button, and there’s no reason not to use it when the device is not in use. Furthermore, Amazon allows the deletion of all voice recordings and Google Home includes options that can improve privacy.
Risky gadget gift #2: Smart TV
Examples: Vizio P-Series, TCL Roku
Smart TVs are dominating the television market and are expected to finish 2018 with 70 percent of total sales. Popular smart TV features include streaming online video, universal program guides, voice control, entertainment apps, and web browsers.
These TVs are found not only in the home, but also in board rooms, meeting rooms, and break rooms. Employees can easily share presentations or setup video chats using smart TVs.
What are the risks?
The primary concern is excessive data collection. During setup, most smart TVs require an agreement with manufacturer and third-party application data collection practices, which can include viewing habits, voice information, and internet activity.
For example, many smart TVs employ a technology known as automatic content recognition (ACR). Advertising companies pay TV manufacturers to install their software which recognizes and tracks what is being viewed on a television at the pixel level.
This recognition can occur whether the video source is over the air, through the internet, or even a video game. This data is combined with information obtained from other devices to build user profiles and perform data analytics.
ACR is used to make recommendations and target advertisements, but some feel that the practice goes too far. For instance, advertisers can conceivably determine if you visited their website on your smartphone after seeing their commercial on a smart TV.
This might not be what you thought your were signing up for. Although you will lose some functionality, data collection features such as ACR can be disabled on most smart TVs. In a business situation, this feature isn’t worth the potential privacy risk.
Data collection isn’t the only risk. Smart TV application program interfaces (APIs) are also vulnerable to hacking. Additionally, the nonstandard and infrequently updated web browsers included with smart TVs are far less secure than their computer-based counterparts. Users should refrain from conducting financial transactions or transmitting sensitive information through a smart TV application or web browser.
Risky gadget gift #3: Wearable device
Examples: Smartwatches, fitness trackers
Fitness trackers and smartwatches have driven the mainstream adoption of wearable technology, and the likes of smart glasses, smart fabrics, and even smart shoes loom on the horizon.
What are the risks?
Fitbit’s fitness tracker is popular with corporate wellness programs. For that reason, the company has taken security seriously with regular firmware updates, data sharing best practices, and launching a bug-bounty program offering rewards to researchers who identify security flaws. They have also ensured companies that their devices are HIPAA compliant.
However, Fitbit has not been immune from cyberattacks, and many of the other companies in the wearables space don’t share Fitbit’s high security standards. Wearables often allow unlimited login attempts, use unencrypted data storage, and rarely support multifactor authentication.
Wearables manufacturers have also experienced hacks. For example, In early 2018, Under Armour revealed a massive data breach affecting 150 million users of MyFitnessPal, a fitness app commonly used with smartwatches.
Wearables also typically track the location of the user. Depending on the business, exposure of this information could negatively impact operations strategy. To illustrate, smartwatch app Strava became embroiled in a controversy earlier this year when the positions of U.S. soldiers were exposed on a map showing the location of all app users, thus exposing a secret Army base.
Risky gadget gift #4: Mobile device
Examples: Smartphones, tablets, laptops
Lots of people want a new mobile device for the holidays, whether it’s a new smartphone or a next-gen tablet. Using personal devices for work has been found to increase employee satisfaction, and helps them to get their jobs done anywhere and at any time. That said, you’re probably going to do some work on these devices to ensure they’re secure to use in the workplace.
What are the risks?
First of all, loss or theft of an unlocked BYOD device can result in a data breach. Another common concern is data leakage, which involves the inadvertent compromise of company data, such as uploading a confidential report to an insecure cloud service or posting a selfie taken in front of a product release schedule.
Employees must also be aware of their use of regulated data on personal devices and strive to maintain compliance with regulations such as PCI, HIPAA, and GDPR.
While you can’t prevent employees from shopping on sketchy websites or leaving their smartphone in an Uber, you can educate them about simple ways to reduce risk to company data.
BYOD policy: Making a list and checking each device
Small businesses must adopt sensible BYOD policies to gain control over the influx of personal devices in the workplace. Companies might also consider the adoption of device management software.
Develop a formal BYOD policy
A BYOD policy instructs employees on the responsible use of company systems and data on personal devices and holds them accountable with a signed agreement indicating full understanding of the policy. It also sometimes involves software that manages each personal device’s network access. BYOD policies can stand alone or be incorporated into the organization’s acceptable use policy (AUP).
BYOD policies can include any or all of the following elements:
|Eligibility||Which employees may or may not participate in the BYOD program|
|Device type||Which types of devices are and aren’t allowed. Be sure to exclude jailbroken devices.|
|Device management software||Users must allow the installation of device management software|
|Reporting||Users must report lost or stolen devices immediately so company data can be remotely wiped|
|Authentication||Devices must lock automatically and multifactor authentication must be used when available|
|Reimbursement||Companies should pay a stipend for participation in the BYOD program and encourage adherence to the policy|
|Discovery||Employee must turn over the device if data is sought in response to a legal request|
|Disciplinary action||Noncompliance with the policy should result in disciplinary actions including termination|
Mobile device management
For many years, the first response to BYOD risks was to implement a mobile device management (MDM) solution. If the device is lost or stolen, MDM software can help track it down, lock it, or wipe its internal memory. This works well for controlling business data but can be problematic when it comes to personal data stored on an employee-owned device. GetApp’s library of MDM solutions can be found here.
Mobile application management
Mobile application management (MAM) technology is concerned with administering business applications rather than governing the device itself. Employees are able to access company email, communication tools, and other business applications on their personal device under the purview of IT. Applications can be patched or removed remotely.
Enterprise mobility management
Enterprise mobility management (EMM) is a comprehensive BYOD solution that combines elements of MDM and MAM into a single platform. EMM solutions typically feature enhanced user authentication.
Unified endpoint management
Gartner predicts that 80 percent of computing tasks will take place on a mobile device by 2020 (report available to clients). With this in mind, companies must find a solution to manage these increasingly multifaceted endpoints.
Unified endpoint management (UEM) is a holistic approach for securing corporate and BYOD devices across the entire network, including PCs, mobile devices, and the IoT.
Maintaining different applications and management systems for desktops, company issued devices, BYOD devices, and IoT devices is inefficient. In the future, companies will endeavor to simplify endpoint management by monitoring all network endpoints from a single tool.
Smart device security: Locking down the IoT
Common security vulnerabilities of IoT devices include:
- Weak security protocols: IoT devices are typically designed with security as an afterthought. Even devices as seemingly innocuous as smart light bulbs sometimes store Wi-Fi credentials in unencrypted flash memory—so think twice before tossing burnt out smart bulbs in the company trash can.
- Susceptibility to malware: IoT devices can be affected by malware just as any other computing device. According to a recent Kaspersky study, more than 120,000 instances of malware were discovered in IoT devices during the first half of 2018 alone, more than triple the amount found during 2017.
- Default passwords: Many IoT devices ship with default usernames (e.g., admin) and passwords (e.g., 11111). IoT devices with insecure credentials are easily found by IoT search engine Shodan and are vulnerable to brute force attacks, botnets, and cryptojacking.
- Data aggregation: IoT devices are often designed to vacuum up as much data as possible. And while consumers might be fine with trading personal data for convenience, the trade-off is different for businesses that traffic in proprietary information.
- Privacy concerns: Many IoT devices have microphones, cameras, and other data-collecting features that can inadvertently compromise sensitive businesses information.
SMBs should consider whether the utility offered by a particular IoT smart gadget is worth the risk it brings to the company. Lock down IoT devices by changing default credentials, restricting data collection features, and disabling devices when not in use.
Consider relegating some smart devices to a secure guest Wi-Fi network or design a network specifically for non-business smart devices to ensure separation from those that carry sensitive data.
It’s beginning to look a lot like business
According to Gartner, office workers typically use three mobile devices during the work week. That number is expected to increase to five devices per week by 2020, including wearables (report available to clients). Taking basic precautions with IoT devices and developing a formal BYOD policy will go a long way toward shoring up your company’s data security and preparing it for a future where smart devices will be ubiquitous.
This article is part of an ongoing series about the business value of IT
Note: This article is part of an ongoing series about the business value of IT.
GetApp’s data privacy survey in November 2018 involved 190 small businesses with 200 or fewer employees. The qualified respondents indicated involvement in the decision-making process for software and technology in their organizations.