One area of your business that you might have overlooked in terms of ensuring systems and access are secure and not at risk from being hacked or phished are your ‘smart’ devices that sit outside of your primary computer systems but are still linked to your networks.
Known as the Internet of Things, or IoT, this category of technology includes devices such as your photocopiers and printers, sensors, security systems, wi-fi routers, computerised manufacturing equipment and other devices you use which would normally be considered as low risk in terms of vulnerabilities.
However, overlooking the need to reset passwords on these devices away from the factory defaults, for example, can expose your organisation to risk. Manufacturers also often build in back door remote access for ease of updating, which again creates risk.
A further point of risk are the IoT devices such as Smart TVs, alarms and other systems your staff may have installed at home, that are connected to the internet and can potentially interact with their laptops or mobile devices when they are working from home.
OneCall recommends taking the following steps to ensure these potential gaps in your security precautions are addressed.
1. Split your Network
Talk to your IT provider about ‘splitting’ your network so that IoT devices are in a separate part of your network to core business systems – this immediately helps reduce the risk of anyone using the more vulnerable system to access your main network.
2. Separate Wi-Fi Services
Ensure Wi-Fi services are separated, so that IoT devices can have different rules applied to them than staff PCs have, and restricting what systems your IoT devices can access.
3. Ensure Unique Credentials are Used for IoT Devices
Never use the same credentials to set up IoT devices that you use on other services – a common hacker exploit is to obtain a password from a service related to an IoT device then use that to gain access to other online services.
4. Keep up with Patching and Maintenance
Ensure IoT devices are included in your regular proactive patching and maintenance activities, or ask your IT provider to ensure they include them.
Too often, vendors of IoT devices put little effort into ensuring the software that is embedded in their devices is regularly updated and patched.
5. Is it Necessary?
Ask yourself – is the IoT device a necessary device – should it even be on your corporate network?
6. Use VPN Facilities
Use VPN facilities to ‘wrap’ around remote access requirements for IoT devices – this adds another layer of security to the manufacturer’s provided remote access facility.
7. Choose your IoT Devices Carefully
Ensure you purchase IoT devices that support shared credential services, like Azure Active Directory.
8. Use Centralised Management Portals
Take advantage of any centralised management portals that manufacturers offer to manage all devices from one console.
9. Restrict the Number of Manufacturers
Try to standardise IoT devices so you have fewer manufacturers and models of technology that need to be managed across your network.
10. Look for Manufacturer Roadmaps for their Technology
Ensure when buying computer controlled equipment (security systems, CNC routers, technology with Android and Windows software embedded in them) that the manufacturer has a roadmap for ongoing support of the computers that support the technology).
11. Ensure Your Staff Members are Aware of the Risks
Ensure your staff are aware, particularly if they are working from home using computers connected to your company networks, that their home smart devices – including smart TVs, voice activated home controllers such as Google Home and Amazon Echo; thermostats; fridges; cars; movement activated camera and sensor systems etc might be a point of vulnerability and provide access to your work systems.
For further assistance around reviewing your potential IoT vulnerabilities, please get in touch with the OneCall team.