Consumer connected devices are presenting increasingly attractive targets to cybercriminals, putting home networks and potentially enterprise assets at risk. In just the last two weeks, we’ve seen Samsung indicate that antimalware should be used on its “connected,” or smart, TVs (almost all TVs are connected these days — just try to find a nonconnected TV next time you are in a large retail store). Days later, Forbes announced a data breach involving the exposure of 2 billion records related to smart-home devices. As these devices proliferate among your employees and even in the corporate network, new risks and potential exploits need to be accounted for.
Unfortunately, there is little dialogue among security leaders today regarding how the expanding home networks of their employees affects an organization’s overall security posture. It’s understandable that security professionals wouldn’t want to focus on personal devices in their homes, as employee privacy is just as big of a concern for any organization. However, as bring-your-own-device and work-from-home policies become more ubiquitous, a larger number of devices that are connected to the company network will also invariably connect to the home or car networks maintained by their employees.
To investigate this further, Heidi Shey, Benjamin Corey, and myself have been interviewing experts in the fields of endpoint security, consumer device security, and personal cyberprotection, as well as end user organizations, to get an understanding of how this threat is being treated today. Our analysis is centered on three categories of devices: mobile internet-of-things (IoT) devices, which may travel between the home and work networks; static devices, which interact with mobile devices when employees return home; and car networks, which can interact with mobile devices as employees are en route to their homes. This research will culminate with a guide that enterprise security leaders can use to develop policies that protect their organizations from the growing risks surrounding consumer IoT devices. Our recommendations will cover everything from employee training to network-segmentation best practices.
We hope this research will help raise awareness around the expanding consumer attack surface and better define the gray area between home and work security responsibilities. If this is a topic you are already working on in your own organization, we would like 30–60 minutes of your time to learn from your experience. Please reach out to Benjamin Corey if interested.