How To Manage Smart Home Device Security Risks

How To Manage Smart Home Device Security Risks

Smart home security risk is no longer an issue for consumers and households alone. More and more people are working from home, so home electronics may impact corporate networks. In addition, some smart home devices are portable, so they may be brought into the workplace. As a result, IT professionals need a process to assess and control smart home security risk.

Why You Need To Manage Smart Home Security Risk

With all the security risks on your agenda, why should you pay attention to smart home security? After all, your staff needs training. You might be concerned about phishing or compromised SaaS apps. All of those are worthwhile objectives. However, your security processes need to keep up with new threats. According to ABC Cleveland:

While sitting in our van, Simon was able to gain control of a nearby thermostat using just commonly known passwords. Not only can he create problems with freezing out the home, but it’s a high-tech way of casing the house using the calendar on the thermostat.

Hopefully, your company will avoid some of the highest risk mistakes, like using common passwords. However, many of these devices may not be perceived as worthy of a full security assessment. As a result, your staff may bring these devices to work or connect them to company networks. That new behavior may heighten your risk of data loss and other security incidents. Fortunately, you can get that risk under control.

To do so, we recommend developing a small project to regain control. To develop and execute your oversight regarding smart home security, use this step-by-step plan.

1) Inventory Your Smart Devices

Before you make any changes to smart devices, you need an inventory first. In our experience, this is one of the most challenging steps in the smart home device security risks. It will require some work! Keep in mind that Step 1 is the foundation of your smart home security risk management. To get started, use the following tips.

●  Check your routers and networks for a list of connected devices. This step will identify all devices that have connected to your network. Flag the devices that do not appear in your existing inventory of devices, and you will find some smart devices.

●  Ask employees to report smart home devices they use at work. Self-reporting will help you to find additional relevant devices.

●  Check with finance for approved purchases and expense claims. For example, ask finance to produce a list of invoices for the most popular smart home devices such as Alexa and Google smart speakers.

Once you have a full list of smart home devices relevant to your organization, you can move on to the next step.

2) Evaluate Smart Device Security Risk

In this step, you will use a few different techniques to evaluate the security risk. This analysis will include both technical analysis of the device itself, your organization’s security risk appetite, and employee behavior. A detailed technical analysis of specific hardware devices goes beyond the scope of this article.

Instead, we will focus on employee usage of these devices. To gather a baseline of information, consider conducting a targeted employee survey focused on smart device usage at the office. Based on your findings in the previous step, create a few security risks in a survey, and highlight examples of these devices currently used in your environment.

Example questions to include in your security risk survey:

●  Which smart home devices do you use?

●  How often do you connect smart home devices to the company network?

●  What are the most common ways you use smart home devices at work? (Examples: digital voice assistant, Slack or something else)

3) Apply Security Risk Mitigation Techniques

The first two steps of this process provided a picture of smart device risk at your company. Now that you know the nature of the risk, it is time to cut that risk to an acceptable level. Pick and choose from the following menu of techniques:

●  Consider whether to ban or white list specific smart home devices based on your internal testing.

●  Apply access management best practices to reduce security. For example, apply the principle of least privilege across your organization, including smart home devices.

●  Require multi-factor authentication (MFA) for higher-risk devices. If you determine that some smart home devices are high risk (e.g., smart speakers that can be easily overheard), then apply additional controls like MFA.

●  Update your identity and access management software. If you lack a comprehensive access management solution, keeping track of new devices and users is going to be very difficult. To manage these risks effectively, use a software solution like Compliance Auditor.

4) Update IT Security Training

Some organizations only provide IT security training to employees when they are hired. In today’s environment, that approach is no longer good enough. Instead, you should provide regular just-in-time training sessions to your employees. If your surveys and technical analysis shows a large number of smart devices connected to corporate networks, offer a focused training session on that topic.

5) Update Ongoing IT Security Monitoring Processes

Detecting an IT security problem once is not good enough. Once you identify a threat and start to manage it, you need ongoing information. For example, you might assess the risk of smart home security as low today. In a year or even six months, your employees may start to use those devices much more often. Therefore, it is crucial to have an ongoing program to review and refresh your IT security perspective.

Review your current IT security dashboards, reports and tools and make sure they cover these devices.

6) Transition To Regular IT Security Options

So far, most of the steps we have covered have related to smart home device security from a project perspective. When the project team moves onto the next project, you need to find a way to sustain IT security monitoring and control. Therefore, we recommend assigning accountability for monitoring these devices into your operations.

Written by Nelson Cicchitto