Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

April 2019
Failing to do so is asking for trouble, and it can arrive in the guise of a coffee maker.
By Asha Muldro
WILL YOUR WIRELESS PRINTER DELIVER TRADE SECRETS to your competitor? Can the office copy machine sabotage your stock price? What if your assistant’s wireless coffee machine crashes your internet system? Who is responsible for the integrity of the smart TV in the boardroom, the vending machine in the hallway, the thermostat? These days, none of these questions is far-fetched. Rather, they should raise genuine concerns for every corporate counsel and technology officer.  
     Our world is in the midst of a revolution being driven by internet-enabled devices that can network and communicate with each other and the cloud, also known as the internet of things (IoT). Without proper protocols, the myriad smart devices now permeating every aspect of the workplace are invitations for mayhem. If you do not have a comprehensive policy in place to mitigate the risks, you could be courting disaster.

Many Corporations Don’t Know How Many Devices They’re Using
It has long been estimated that there will be 50 billion IoT devices in use by 2020. Yet, according to NIST , “many organizations are not aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices.” Moreover, because a user can enable a new device through a smartphone, which may already be connected to the corporate network, the potential for exposure is infinitely greater than just the number of devices that are directly connected in the office environment.
     IoT devices inherently raise a grave security concern. Anything that is connected to the internet has the potential of being hacked or misused. Yet, many manufacturers rush to market devices embedded with firmware without adding additional and well-tested security features. While some companies do go to great lengths to incorporate security into their devices, you are only as strong as your weakest link. And a lot of IoT devices are manufactured by companies that produce consumer electronics. They are not in the business of cybersecurity. There are also smaller companies that develop these devices that simply do not have the resources to engage in the research and development to address potential security concerns.
     Over time, additional vulnerabilities emerge. As devices age, manufacturers may have moved on to support other products or have simply gone out of business. So we can’t always count on software updates and security patches. Worse, customers themselves often bypass the extra step of changing default passwords or adding encryption. We have already seen breaches of baby monitors and security cameras that were compromised by hackers who simply exploited manufacturer passwords. It is imperative that all employees are trained on the dangers so that they take additional security precautions seriously.

Corporate IoT Policies Often Fall Short
Corporations seem to fall into five basic categories when it comes to an IoT policy: 1) Strict no outside device policy—only corporate-issued technology may be used; 2) Allows IoT devices, but only when preregistered; 3) Allows for IoT devices on a guest Wi-Fi network only; 4) All devices are allowed, but IT department is attuned to these risks; or 5) No written policy—fingers are crossed.
     Despite the relative ease of hacking IoT devices, it is alarming how many corporations, large and small, fall into category five. Even more disturbing, many corporate counsel respond with blank stares when asked, “Who is responsible for securing the Wi-Fi-enabled smart TV in your boardroom, the office thermostat, the copier, the vending machine? Is it corporate IT? Facilities? The building’s management company? The device manufacturer?”
     Corporate counsel are wise to investigate their companies’ IoT protocols and to work closely with their chief information security officers (CISOs), or equivalents, to ensure that their companies are secure. They should ensure that all types of technology are being accounted for in their policies and protocols, and that nothing slips through the cracks.
     Policies and protocols need to address corporate-owned technology, employee-owned technology and third-party technology on the company’s premises. Everything that is capable of connecting to the internet should be covered by a strict protocol to ensure that they do not threaten your network.

Policies and Practices Need to Be Updated Regularly
Even if you have a corporate policy or protocol, you need to update it regularly to keep pace with technology. The IoT Security Foundation provides an important reminder : “Like any aspect of information security, IoT security is not absolute and can never be guaranteed. New vulnerabilities are constantly being discovered, which means there is a need to monitor, maintain and review both policy and practice on a regular basis.”

Key Takeaways
Work closely with your CISO to ensure that IoT is being safeguarded.
Devise a comprehensive IoT policy that addresses corporate-owned devices, employee-owned devices and third-party devices in the corporate environment.
Do not let any IoT devices slip through the policy cracks.
Train all employees on the dangers of IoT.
Update IoT policies and practices regularly.

Asha Muldro is deputy general counsel and a senior managing director in the Los Angeles office of Guidepost Solutions. She directs an array of investigative, compliance and monitoring matters for corporations and individuals, including engagements involving cybercrime, data breach response, information security and intellectual property protection. Previously she was a partner at a litigation boutique where she led white-collar investigations, defense matters and complex civil litigation. She has also worked as an assistant U.S. attorney in the Central District of California. She can be reached at  [email protected]