Cybersecurity Commandment #9: Watch Your Stuff

In 2001: A Space Odyssey, a valiant smart device named HAL strictly adheres to data access protocols despite a hacker’s determined attempts to breach its security. Alas, they don’t make smart devices like they used to; a few years ago, hackers got into a casino’s data base through its smart fish tank thermometer. Incidents like this are why Cybersecurity Commandment #9 is “Watch Your Stuff.”

This is harder than it seems, because the "internet of things” (IoT) enables many previously benign devices to capture and divulge our confidential information either accidentally or as a result of malicious activity. The increasing use of smartphones to access confidential information in the work-from-home era has incentivized bad actors to hack into them. And now that our office is our home, we are often talking near an Amazon Alexa or Google Home which, by design, are always listening. Even the humble printer can now store copies of data in its memory, which means that printing a confidential document may now enable attackers to access or exfiltrate that data for use or sale on the dark web. To make matters worse, many smart devices cannot be secured the same way we secure traditional IT devices, or if we can, the effort necessary may be excessive.

Cybersecurity Commandment #9 has three overarching goals:

1. Protect device security. From a business perspective, protecting device security means preventing a device from being used to eavesdrop on network traffic or compromise other devices on the same network segment.

2. Protect data security. A business needs to protect the confidentiality, integrity, and/or availability of data (including personally identifiable information, or “PII”) collected by, stored on, processed by, or transmitted to or from the IoT device. This goal applies to each IoT device except those without confidential information.

3. Protect individuals’ privacy. To the extent an IoT device has PII or other personal or sensitive information, the owner of the device needs to protect said information.

The tactics necessary to achieve these goals could fill a book, but they boil down to knowing your IoT vulnerabilities and addressing them. A few tips include, but are not limited to:

1. Keep cybersecurity in mind when purchasing IoT devices. A recent workshop by the National Institute of Standards and Technology (“NIST”) concluded that IoT consumers generally ignore cybersecurity when considering IoT devices and assume that all IoT devices on the market were generally safe. This laissez-faire attitude is a ticket to a data breach. When selecting a smartphone, printer, or other IoT device, look into the device’s cybersecurity, and take that security into account in your purchasing decision.

2. Update your device’s software. Updating your phone or other device is a confusing hassle. An update may remove a feature that you rely on or change your device’s operation in ways that you find inconvenient. But updates often include urgent security patches, which are designed to protect your phone or other device against known vulnerabilities. So for security’s sake, you should update your smart device — especially your phone — as required, and businesses should require all work phones and other word devices to be up-to-date as well.

3. Lock your device if you can. You cannot password protect your smart speaker, but phones and other lockable devices that contain or may contain confidential information should automatically lock after a reasonably short period of time. If you are traveling to a country with a reputation for espionage — industrial or otherwise — the phone should unlock only by password — NOT with a fingerprint or facial identification, which an enthusiastic security officer can use to easily bypass your security.

4. Use a strong password. Speaking of passwords, any device that can access confidential information and is internet accessible should have a strong password. I have to mention this because in 2020, the most popular password was “123456,” followed by “123456789.” The server password for SolarWinds was “SolarWinds123.” Don’t be that person. Make sure your smartphone password is hard to guess. For printers, change the default password immediately upon setup.

5. Filter out network printer problems. If you have networked printers, you should employ IP filters, which block unapproved IP addresses from access. This helps protect the data on the printers and the network as a whole.

6. Secure your printer ports. An unsecured printer port is like an unlocked house door. You should enable only the printing protocols that you will use. Turn off printer protocols and service that you do not use regularly — like AppleTalk, FTP, and SNMP — which can expose your network to attacks.

7. Keep Alexa out of your business. In 2018, an Echo-enabled device recorded a couple’s conversation and sent it to a person in their contacts list. A similar disclosure of confidential information could be disastrous, especially if you work in an industry that is legally obligated to keep certain information confidential. Make sure that your Alexa or Google Home is not in the room where you discuss confidential information, or at the very least unplug it.

8. Don’t smile for the camera. Recently, the security camera-seller Verkada suffered a hack that exposed the video recordings of its users. Verkada had kept these video images on its servers, which the hackers managed to breach. If you use internet-connected video cameras, make sure they are not in rooms that contain confidential information. If you need to have cameras in the same room as confidential or sensitive data, seriously consider paying to store the videos locally rather than in the cloud.

Hopefully, these tips have given you an answer with respect to IoT security. So long as you keep cybersecurity top of mind in your IoT selection and setup, you can enjoy the benefits of a connected office without going half crazy with concerns.