The Internet of Things introduces new capabilities, enhancing capacity for people analytics, employee engagement, performance management, and more. Using it responsibly, however, requires new levels of cybersecurity.
The Internet of Things (IoT) has made significant inroads into the business landscape. Organizations in virtually every industry are now taking advantage of IoT devices to support better asset management, empower predictive maintenance, and enhance the customer experience, to name just a few of their applications.
In the human resources space, IoT devices can enhance the ability to collect people analytics, inspire employee engagement, and conduct performance management. When combined with Human Resource Management Systems, the IoT streamlines and optimizes those and other HR functions, including enhanced employee well-being and productivity.
To take advantage of these new capabilities, however, organizations must address a host of new vulnerabilities. As IoT devices proliferate, they extend an organization’s digital footprint, creating more access points for cybercriminals intent on breaching security.
In many cases, those access points involve much weaker security standards than what is commonly in place in corporate and commercial infrastructures. As a recent Forbes article explains, “For instance, according to the Federal Trade Commission regarding Ring, due to a lack of stringent privacy measures in 2019, ‘hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers.’”
Understanding IoT risks
The IoT is designed to streamline access to the Internet with the primary goal being convenience, not security. To deliver that convenience, computing power is typically limited on IoT devices, which means they are unable to manage robust security protocols. The most common security features — such as encryption, secure boot capability, or regular security updates — are often neglected in IoT devices to keep resource demand low.
Passwords on IoT devices are another common security issue. Default passwords on IoT devices are typically weak, and when updated by end users, passwords can be kept weak to support ease of use, resulting in poor security.
IoT devices also commonly provide always-on connectivity because they empower tools like smart locks, occupancy sensors, and HVAC monitors — all of which must constantly be active. Consequently, these devices provide an always-on access point that provides less resistance to hackers.
Each of these factors combine to create a security weak spot in the overall corporate security framework that can be used as a pivot point to gain access to other sectors of the network. IoT devices that fail to repel attacks provide an open door to the network that can be exploited to deliver malware or gain access to sensitive data. Recent statistics show that nearly half of businesses utilizing IoT devices don’t have systems in place to detect if those devices have been breached by bad actors.
Addressing IoT risks by securing endpoints
The best approach to IoT security begins with securing all endpoints. Organizations should inventory IoT devices to ensure all potential weaknesses are known and addressed, and update their inventory regularly, adding new devices as they go online.
The inventory process will be more complex for organizations that allow remote work. In such cases, IoT devices in use on an employee’s home network could potentially facilitate unauthorized access to the work network. Optimal security will consider those devices as an extension of the organization’s digital footprint.
After items are inventoried, organizations should ensure all available security is in place and up to date, including changing default passwords and other credentials to increase their strength. Where possible, multi-factor authentication and data encryption should be activated, and where security updates are available, they should be installed as soon as possible.
A final step in securing endpoints can include limiting network access. Firewalls can be used to prevent IoT devices from connecting with areas of the network that are not relevant to their operations. Segmenting the network to keep IoT access to certain designated areas is also helpful in limiting the impact of a security breach.
Addressing IoT risks by monitoring activity
Security is further enhanced by constantly monitoring IoT activity. Modern technology tools allow organizations to deploy network sensors that track IoT activity and alert organizations to anything suspicious. In many cases, responses can be automated to address risks in real time.
Advanced technology solutions allow organizations to conduct attack simulations on their networks. Simulations can pinpoint network resources that are most vulnerable to a security breach and the potential impact of a breach, which can be invaluable in identifying IoT items that need to be updated or decommissioned.
Addressing IoT risks through employee training
Employee training adds another layer of protection to an organization’s IoT security efforts, as few employees outside of the security department will inherently appreciate the threat posed by IoT devices. Organization-wide training can enlist all employees in IoT security efforts and explain the role they can play in securing devices.
Training should include situational awareness, explaining the warning signs that show a device may have been compromised and the steps to take when an employee becomes aware of those signs. Employees should also be made aware of the risks posed by connecting unauthorized devices to company networks and the role they play in ensuring security on authorized devices is kept up-to-date.
The Internet of Things promises to shape the future of business, empowering organizations to extend their reach and increase their understanding of how to improve the experience of both employees and customers. However, businesses must address the increased risks the IoT brings to their operations. Effectively leveraging IoT devices requires deploying enhanced security protocols that limit access and provide ongoing monitoring.
Explore HRtech News for the latest Tech Trends in Human Resources Technology
ABOUT THE AUTHOR
Eric Sugar,
President of ProServeIT
Eric Sugar is the President of ProServeIT, a multi-award-winning Microsoft Partner headquartered in Canada. He has over 25 years of experience in the IT industry and has been with ProServeIT since 2002.