What About Shadow IoT?

There has been so much talk about “Shadow IT” — employees using their own smartphones, tablets, cloud applications and mobile apps — and its impact on corporate IT that many don’t worry about it anymore. Many IT decision makers have simply acquiesced to the idea that employees will use their own devices, mobile apps and cloud applications, and so are finding ways to work within this new reality as opposed to fighting it. To be sure, Shadow IT has major implications for security, the ability to find and manage corporate data, the ability to satisfy compliance obligations and the like, but Shadow IT is here and it’s here to stay.

But what about “Shadow IoT”? There are a large number of personally owned IoT devices already accessing corporate networks, such as Apple Watches, Fitbits, Alexa/Google Home devices and the like. For example, an Apple Watch can be used to access corporate email and text messages, Fitbits send emails to wearers with their weekly status reports, and IBM has integrated Watson with Alexa/Google Home, to name just a few examples on the tip of this iceberg. Fueling this trend is growing corporate acceptance of the idea of integrating IoT with business processes — companies like Salesforce, Capital One, AETNA, SAP and SITA, among others, are embracing use of the Apple Watch and developing applications for it. Moreover, the use of wearable IoT devices can increase employee productivity — a Rackspace study found that productivity and job satisfaction both benefited from their use.

While personally managed IoT devices represent an enormous boon to their owners, they also can create a number of security risks. For example, researchers at the University of Edinburgh were able to circumvent the encryption that Fitbit uses to send data, leaving users vulnerable to theft of their personal information. In 2015, a Fortinet researcher discussed a proof-of-concept that could infect a Fitbit device with malicious code that could then send malware to a PC connected to the device (a claim that Fitbit denied). Researchers at Binghamton University found that sensors in wearable devices could be used to determine passwords and PINs with up to 90 percent accuracy. Apple Watches have been banned from cabinet meetings of UK government ministers over fears that the devices could be hacked and used to listen in on these meetings.

Does your organization have a policy to protect against Shadow IoT? What security measures have you implemented specifically to address this threat? I’d like to get your feedback on what your organization is doing for a future blog post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s