Symantec: Establish security procedures for the 'inevitable' smart office

Organisations soon won't be able to purchase office equipment that isn't internet connected, according to Symantec CTO Nick Savvides, and as a result will have to establish security policies in preparation.

The transformation towards a smart office is unavoidable, according to Symantec Australia and New Zealand chief technology officer Nick Savvides, and companies need to do two things in preparation.

Special feature

Special report: How to optimize the smart office (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, explores ways companies are taking advantage of tech innovation to improve collaboration, productivity, and employee health and safety.

Read More

The first, the CTO told ZDNet, is to develop a company-wide Internet of Things (IoT) strategy that covers both management and updates of company devices, as well as connected devices brought into the office by employees.

"Develop an IoT strategy. You might not get it right, but at least have a strategy and say, 'When a device comes into our environment, what are we going to do -- here is a framework that we need to assess the device against; what is the security of the cloud service associated with it; who is the manufacturer; how do updates get handled; let's build an inventory of these devices, make sure that we are tracking the updates on them'," Savvides said.

"'Where is the management interface, has it got two-factor authentication on there, can we control the identity, can we federate the identity to that management interface so that we get some control back?'"

Companies would benefit from separating corporate traffic from IoT traffic, Savvides added, so that if a connected device is compromised, it can only see the other IoT traffic instead of the entire corporate traffic as well.

The second thing companies need to do is educate their employees on the security implications and accommodate company policies to allow for the use of personal IoT devices in the office, Savvides said, adding that if companies establish a no-IoT-device policy, employees are going to bring them in anyway.

"They [employees] consider this benign technology, why is this a problem? My whole house is full of connected devices -- why can't I just use this stuff at work? That's the mentality people will have, and that's why these devices are going to infiltrate the work environment," he said.

"Even if you said, 'I don't want any connected devices in my network or in my office', you're going to get them. If IT says no, employees are going to do it anyway. So user education is critical here as well."

Office equipment all across the board, from security cameras -- the origin of the attacks that resulted out of the Mirai botnet -- to seemingly innocuous heating systems or a set of window blinds, can be a security threat once connected, as they usually have their management portal in the cloud.

"You might have a HVAC system, a heating and cooling system that is monitoring building occupancy," he said. "Now, that sounds great, but the manufacturer of that HVAC system or the installer will probably have remote access to it to perform maintenance, there will probably be a lack of security understanding around that, which exposes the devices to easy control.

"So that whole thinking that, 'Well these are just my blinds, what can they do, they open and close'. They're probably connecting to a cloud service to do that, and people who have installed them, they're not IT security people. They're the people who worry about the windows and they consider this just a benign piece of technology. But it has a little computer on there, it has memory, it has internet connectivity. As an attacker, that is what I want."

Even coffee and vending machines have been found to create security flaws in the office, adding to the question of whether there are some forms of office equipment better left unconnected. On top of this, some smart device manufacturers aren't making their devices as secure as they should be, Savvides suggested, because security isn't their primary business.

Pointing to the masses of developers showing off their often pointless connected products at CES every year, including Bluetooth-enabled toothbrushes and smart barbecues, he said security features are often an afterthought for companies pushing for both market share and mind share with innovative or unusual products.

"All say, 'Our devices are secure', but every single device that has ever been compromised will have come with a marketing slide or an on-the-box talking about how it was secure, because it is secure to the understanding of the maker, but not secure to the understanding to the broader threat landscape.

"We're at a very immature level today when it comes to these IoT and connected devices. Over the next couple of years, this will start to mature and security will become a bigger and more important consideration at that design and manufacture stage, and will become a very key piece of marketing material."

Just like the transition towards cloud storage a few years ago, Savvides said the evolution of the company office to a smart office is inevitable, and soon companies won't be able to buy office equipment that isn't internet connected, so companies have to prepare.

"People said, 'We don't know how to handle cloud security, so we're not going to use any cloud services in our businesses'. And then all of a sudden, we have this massive shadow IT problem where employees are going out and utilising shadow cloud-based services circumventing IT and security completely. It spawned an entire industry," he said.

"It's the same thing with IoT; this is going to happen, whether or not organisations say they want it."

PREVIOUS AND RELATED COVERAGE

The spy on the corner of your desk: Why the smart office is your next security nightmare

Smart office devices could create a major security headache: do you really know what those gadgets can do?

Survey: Smart office tech is widely adopted, but results are mixed

In a recent Tech Pro Research poll, 76 percent of respondents said they use some kind of smart office tech, but 35 percent said at least one product didn't meet expectations.

Optimising the smart office: A marriage of technology and people

As employees become increasingly 'plugged in' to their workspaces and interact with AI-driven systems as part of their jobs, businesses need to ensure that humans are not overwhelmed by all the technology.

3 ways the 'smart office' will change the future of work

Companies have focused on making offices more comfortable and collaborative, but they still need to get over long-standing tech hurdles. That's where the smart office comes in.

TechRepublic launches the 'Smart Home Office' (TechRepublic)

In partnership with sister sites CNET and ZDNet, TechRepublic has opened a living laboratory to help everyone who works from home to set up a next-generation workspace.

How to build security into your company's IoT plan (TechRepublic)

As the IoT market booms, it's essential your company develops long-term cybersecurity solutions. These tips will help you prepare.

New research: Most IoT devices can be hacked into botnets (TechRepublic)

A team of Israeli researchers have discovered that the average IoT devices you buy on store shelves can be compromised within 30 minutes and added to a botnet.