For the purposes of this article, you can think of the IoT as the global network of "things" that are connected to the internet. This includes the obvious things (e.g., smartphones, computers, wearables, etc.) and the less obvious (e.g., A.I. devices, office automation, coffeepots, smart TVs, etc.).
If you work in technology, you should be aware of the IoT, as it is certainly a trendy topic. As a trendy and often misunderstood arena, the IoT has not historically been discussed in-depth during security awareness training. This means that even if you are aware of the dangers presented by the IoT, your employees may not be as mindful.
Why educate employees about the IoT?
If a device can be connected to your organization's network, the device is part of the IoT and it can be used as a door into your network. The more devices that are allowed to connect to the network, the more opportunities exist for a malicious actor to enter. Employees need to be aware that their actions matter and if they connect devices to the network, they could be putting your organization at a higher risk of a cyber-attack.
How can I explain the IoT to my employees?
I've found that using a metaphor of a house to describe the IoT is helpful. For example, if you have a house and you lock the front door and all of the windows, you've done a good job protecting your house. If you forget to lock the back door though, it doesn't matter if you've locked down all other access points to the house. All someone needs is one weakness to get into the whole house.
The same is true of your bank's network. We're often trained to think about securing the obvious things, the items you see and use often. But it can be easy to forget about the backdoors, like the smart thermostat that was installed a few years ago or the Wi-Fi enabled coffeepot in the kitchen.
What topics should I cover to help employees secure their IoT devices?
When talking about the IoT, a lot of basic security awareness training topics apply (e.g., password security, using multifactor authentication, performing backups of data on the device, etc.). However, it's necessary to connect these security ideas with the various IoT devices they use, beyond their office workstations.
It would also be good to emphasize the importance of regularly installing security updates on the devices and knowing what kinds of data their devices can access. To drive the point home, it may be helpful to accentuate the fact that this training not only applies to their lives at work, but also at home.
You can do this by encouraging social responsibility. Ask your employees to keep an eye on what their kids, parents, and coworkers are doing online, connecting to the network, and downloading. Don't make them the "internet police," but encourage them to find opportunities to educate others in their life, as it only takes one weak link to break the chain of security.
What else can I do to make sure my bank is protected from IoT threats?
Review your bank's policy and find out if employees are allowed to connect personal devices to the office network. If they are not, this mitigates a lot of the threat already, but not all of it.
If employees are allowed to connect personal devices to the office network, make sure you know what those devices are and who owns the device, as much as you are able. When possible, implement technical policies to prevent unpatched or jailbroken devices from connecting to the network.
Consider providing a separate network for employee devices. When you do this, you can rest easier because your customers' sensitive information isn't sharing the same communication channels as your coworker's unpatched health tracker.
Install security patches on the IoT devices you manage on the network as soon as possible. If you aren't sure how some of your IoT devices get updates, today would be a good time to figure that out.
The IoT at Work
The internet is an incredibly helpful tool and the IoT can help us be more aware of our health, better at communicating, and more efficient in the workplace. While it comes with its own set of problems, the more we can share awareness, the more prepared we will be to take our business into the future.