IoT devices have countless benefits for organizations, from enhancing customer experience to boosting employee productivity and helping with office management. However, they can be a double-edged sword. Smart devices scattered around the office can be a weak link in security.
IoT threats range from partial network malfunctions to catastrophic data breaches. Security issues in IoT devices shouldn’t be underestimated, especially as more companies opt for the convenience of connected offices, warehouses, and manufacturing facilities.
What is IoT?
Short for the Internet of Things, IoT devices are typically single-purpose devices that solve a particular problem or inconvenience. In an office, this can be anything from smart climate control and lighting systems to coffee machines and Wi-Fi-connected printers. Smartwatches worn by individual employees also count as IoT devices, especially if they use them to receive and send work emails and critical notifications.
While IoT devices were first introduced in the late 1990s as luxury tech, they’ve now become indispensable for modern business. However, this reliance also requires organizations to be aware of IoT security vulnerabilities and challenges and to mitigate them.
Effects of IoT devices on enterprise security
Due to their varied roles throughout the enterprise, IoT devices come with numerous risks that may increase as malicious actors become more prolific. There are, however, a few more common security risks and vulnerabilities inherent to the wide-scale use of IoT devices that you should be aware of.
1. Data privacy concerns
Since they don’t operate independently, IoT devices send all of the data they generate to centralized servers or data centers for storage and processing. As a large collection of employee and customer data, those storage servers tend to become prime targets for data breaches. One notable example is when Verkada, a provider of internet-connected security cameras, was hacked in 2021. The hackers managed to gain access to security footage of numerous Verkada clients, including Tesla, Cloudflare, and Equinox gyms.
2. Unsecured access points
There are estimated to be just under 19 billion connected IoT devices. Even for individual organizations, the sheer volume of connected devices can be hard to keep track of. A single compromised IoT device at one edge of the company has the potential to compromise servers containing private employee and customer information. This adds to the importance of segmenting IoT networks and limiting the access privileges of individual devices.
Also, many IoT devices don’t have the necessary software for efficient remote accessibility. They could get left behind even during a company-wide security update. This lack of administrative capabilities makes IoT devices harder to configure and seamlessly blend into the rest of the company’s infrastructure. Often, the devices are left with their default settings, including the default admin login credentials, which tend to be standardized among all devices sold by the company and relatively easy to guess or hack.
3. Lack of device standardization
There’s little standardization of either the software or hardware of IoT devices. This makes it significantly harder to maintain secure machine-to-machine (M2M) communication, as individual IoT devices would require a unique approach to cybersecurity.
Some IoT devices, especially ones not designed for large corporations, may not integrate well with high-end security software.
4. Use of outdated devices and software
With so many devices needed for a comprehensive network, many companies continue using older IoT devices to cut expenses. However, outdated software and hardware are more vulnerable to malfunctioning and security risks, especially without a backup security infrastructure in place.
Similar risks arise if the devices are connected to the internet. Outdated security patches leave devices vulnerable to web-based threats that could just as easily compromise them. The risk isn’t limited to using generic software and IoT solutions. Just last year, a federal agency was hacked due to using an outdated version of Adobe ColdFusion software. Analysis of the agency’s logs found at least two public-facing servers were compromised by the software bug.
5. Third-party integrations
Many IoT devices rely on proprietary software to handle some operations, including data processing. Integrating your company’s internal network with third-party components and services introduces a slew of risks that are harder to control since they're not managed in-house.
Whenever you’re outsourcing any part of operations to third-party software or data centers, they need to be fully included in a comprehensive security risk assessment. When the software development tool Codecov was hacked in 2021, the attackers gained access to hundreds of restricted websites and networks that integrated with Codecov. Among the exposed were industry giants such as HPE and IBM.
6. Higher malware and spyware risk
IoT devices aren’t typically built with advanced security measures in mind. This leaves them as low-hanging fruit for malicious actors seeking the weakest possible point of access. They’re particularly targeted with malware because they communicate data almost indiscriminately to inner-company servers and data centers.
The same risk applies to spyware, as it can be hard to detect without doing regular sweeps of the IoT device's health. Not to mention, because they’re data-centric, IoT devices are the perfect target for spyware.
7. Physical security risk
IoT manufacturers often don’t prioritize physically robust designs in order to cut costs. Combine that with the fact that many IoT devices don’t receive the same level of hardware security other company equipment does—they are often left unattended or in unsecured locations—and they’re at a much higher risk of physical tampering and damages.
Additionally, an attacker’s target might not always be data. They could instead paralyze critical company operations, costing you money in lost productivity. This could either occur as sabotage or by demands for ransom money.
8. Poor handling of devices by employees
Employees might not be aware of the security risks posed by IoT devices. This could lead them to carelessly leave the devices unattended in unsecured locations or use insufficient security measures, like weak passwords or no passwords at all.
The human element is often the weakest point in any security system, and this applies to IoT security, as well.
Why is IoT security so important?
It’s important not to view IoT devices as an entity separate from the rest of the company's physical and digital infrastructure. After all, they’re used by employees in numerous departments and with varying access privileges, allowing them to proliferate throughout the company’s ecosystem. It’s rather rare that the IoT device itself is the goal of the attacker; they’re often used as stepping stones to gain access to much more critical company infrastructure.
IoT security is particularly important because it's often overlooked—both by companies setting up the IoT devices and by IoT manufacturers not prioritizing security in their designs. A 2024 Report by Forrester found that 34% of organizations that faced IoT-based data breaches had breach costs $5-$10 million higher than victims of non-IoT cyberattacks.
With “smart offices,” IoT devices become a core part of day-to-day facility operations. Sensors, accessibility options, and door locks are all relied upon by employees to be able to safely do their jobs. While a faulty IoT thermostat might not sound like a disaster, it could compromise employee comfort and safety, depending on the local climate and current weather conditions. Keeping IoT risks in check isn’t just for maintaining data integrity, but also upholding the company’s infrastructure, digital and physical.
How a password manager can improve your IoT security
While a robust security infrastructure is ideal for safeguarding your network of IoT devices, old-school password protection is still incredibly effective. Using strong passwords that are unique to each IoT device is the first step, and using a reliable password manager is the long-term solution.
With anywhere from a few hundred to a few thousand IoT devices, a dedicated password manager can keep track of all employee credentials for you. Dashlane is one of the leading business password managers, with numerous built-in security features like strong password generation, secure password sharing, AES encryption, multifactor authentication (MFA), phishing alerts, and a zero-knowledge architecture that grants only you access to your passwords.
Learn more about how to best manage passwords for your entire workforce.
References
- Imaginovation, “8 Sectors That Can Benefit the Most from IoT Development in 2024,” December 2023.
- Dashlane, “What is the Internet of Things and How Safe Is It?” April 2024.
- IDX, “IoT Devices in the Workplace: Security Risks and Threats,” August 2022.
- Dashlane, “Internet of Things (IoT) Security Practices Can Prevent Breaches,” June 2024.
- Engadget, “Hacked surveillance startup Verkada leaked live feeds for Tesla, others,” March 2021.
- IoT Analytics, “State of IoT 2024: Number of connected IoT devices growing 13% to 18.8 billion globally,” September 2024.
- Berkeley Lab, “Cyber Security Awareness: Default Passwords,” October 2021.
- Federal News Network, “CISA issues patch reminder after federal agency hacked via outdated software,” December 2023.
- Reuters, “Codecov hackers breached hundreds of restricted customer sites,” April 2021.
- Travelers, “Employee Training in the Age of IoT.”
- MindPoint Group, “The Security Risk of IoT.”
- World Economic Forum, “How the Internet of Things (IoT) became a dark web target – and what to do about it,” May 2024.
Sign up to receive news and updates about Dashlane
