There are about 26.66 billion connected devices on the planet right now, and forecasts predict around seven connected devices per person in 2020. Employees bring those devices into a workplace and connect them to the internet, many times via the corporate network. Here is connected devices in the workplace, and what you need to know to avoid the risk.
Connected devices can be convenient to have around — they aren’t without risk.
An overload of personal tech can disrupt corporate connectivity, halt productivity, and introduce security concerns.
Bandwidth refers to the volume of data that can be sent over a network at one time. It is not unlimited, and the more people using the network, the slower it becomes.
When calculating bandwidth requirements, businesses should determine how many employees they have, how many devices they are connecting to the network, and what activities each individual frequently performs.
Before the influx of IoT devices, companies only had to consider one device per employee, maybe two. Also, they only needed to estimate how many employees at one time were:
- Video conferencing
- Downloading or uploading large files
- Checking and sending emails
- Using the web for research
- Streaming music or video
- Using VOIP
Those activities are still crucial for bandwidth requirement purposes.
However, if you’re ending your focus there, you’re missing today’s bigger picture. Now, employees may have smartwatches, fitness trackers, smart glasses, and a health monitoring device.
Each employee likely has smart speakers or brings in a smart assistant. Consider that when each of these devices connects to the network, some questions must be asked. How often are the devices sending and receiving data?
Are these device sending and receiving data in real-time? Is the transfer done in batches throughout the day? Whenever a request is made? How much bandwidth are employees’ personal devices using throughout the day?
Without warning, an influx of personal tech can consume much of your WiFi and internet bandwidth. How is this consumption is affecting productivity in your company? How much of the usage is causing problems for your customers?
It’s common knowledge that high consumption of internet bandwidth can lead to slow load times for web pages, difficulty opening large files, or problems with video conferences, presentations, or VOIP calls.
In general, you’ll be looking at complaints that the internet or the WiFi is slow. As a result, employee productivity will suffer. Productivity isn’t the only risk, either. Unsecured personal tech opens up a corporate network to a whole host of potential network vulnerabilities.
A system is only as secure as its weakest point. With personal IoT devices flooding a network, the number of possible weak points greatly increases.
Frequently, these devices do not have the same security protocols as business devices, but we connect them to the same network — a network that houses sensitive, confidential data.
Confidential, secure data makes employee data an attractive target for hackers.
A personal device that’s hacked is bad news for employees and a lot worse news for companies. As these devices are connected to the corporate network — without proper IoT cybersecurity — your network is vulnerable to:
- Hackers gaining access to sensitive data, including the risk of someone hacking a device and using said device to take photographs or record video.
- Sabotage of company facilities, such as losing control of the HVAC, or being locked out of machinery.
- Botnets infecting devices and launching distributed denial of service (DDoS) attacks that bring down a network entirely.
These scenarios have happened and are already happening. Criminals hacked a smart thermometer in a casino fish tank to steal data about the casino’s highest paying customers.
Home thermostats have been used as a launch point for DDoS attacks that have left residents freezing and locked out of their own central heating systems. The FDA proved that implantable cardiac devices can be hacked.
Additionally, Corero Network Security reported that organizations experienced an average of 237 DDoS attack attempts per month. The examples go on and on. Take these security risks seriously. Design your network to keep hackers and criminals securely locked out.
How to Solve the Problems
Before you can adequately protect your network and optimize your bandwidth, you have to know what devices are on the network. Of those devices on the network, identify which are corporate devices and which are personal devices.
One way to verify this is through device discovery and device profiling.
- Device discovery alerts you when new devices connect to your network.
- Device profiling identifies the device and sharing information such as device type, brand, and operating system.
- Profiling provides details down to the specific make and model.
With the right tools, this process takes only minutes. The identification provides companies with complete visibility into their wireless networks and lets them know precisely what the network is supporting and how the bandwidth is utilized.
Your AP vendor might provide profiling. If not, there are other analytics tools you can turn to for the job.
Now that you know how many and what kind of IoT devices are on your network — how do you keep it all secure?
Many IoT devices don’t have a user interface (UI) that would allow for the installation of additional software, like antivirus software. These employee devices might even be lacking the hardware capacity needed for such an installation.
What enterprises need to do is flag the devices for anomalous activity, and put such devices on a network that is separate from your corporate network.
Enterprises achieve differentiation when using different SSIDs, VLANs, and subnets, or a combination thereof. Then further designate device-specific access roles.
After personal devices are identified, flag them, so you receive an alert if they act suspiciously.
Consider a scenario where a device identified as a smartwatch suddenly starts downloading or uploading large amounts of data either to or from your network. This is an immediate red flag that the device is being used for malicious purposes.
With real-time identification, IT can resolve the problem before the negative consequences are too severe.
Make sure you continuously upgrade the criteria used for anomalous detection, allowing your business to keep pace with natural changes in device usage and behavior.
Acting proactively, IT can limit the information available to IoT devices by deploying two or three service set identifiers (SSIDs). The different SSIDs provide varying levels of network access to different users and devices. Generally, I recommend using three SSIDs:
- SSID 1 — is the most secure network with strong firewalls and a unique password or certificate for each device. Typically, configure SSID 1 as WPA2 – Enterprise. Limit your SSID 1 to employees and business devices only.
- SSID 2 — is the guest network. It can be open or password-protected (WPA2 – Personal), with or without a captive portal (web-browser based authentication). SSID 2 can require an agreement of terms and conditions from all users or some form of user login.
- SSID 3 — if needed, you can use the SSID 3 as a catch-all network for any other devices. This designation includes personal IoT devices that may have limited band or security protocols support.
Using a slightly different method, companies could also choose to put all IoT devices on the 2.4GHz network. Then, the company can reserve the 5GHz network exclusively for corporate devices.
Be very selective about which devices join which network.
For example, it might not seem worrisome if a hacker accesses a printer, but that criminal can now see everything that is printed or scanned in an office. Yikes!
Ensure your employees understand the risks involved if they allow their personal devices to connect to a secure network. Enforce company policies that prohibit such connections.
Quality of service (QoS) technologies allow you to deliver optimal performance for different types of network traffic. The first thing you’ll want to do is classify your network traffic.
- You can be as broad or as specific as you like for your QoS technologies. Once you’ve determined what kind of traffic you have, there are different methods you can implement.
A differentiated service model configures network hardware so that different traffic types have different priorities.
If voice traffic is a higher priority than other traffic, the differentiated service model allocates more network resources for peak performance.
You can use bandwidth shaping, also known as traffic shaping. Traffic shaping lets you reserve bandwidth for higher priority, business-related traffic. Using shaping, companies limit the bandwidth available to certain applications, or limit bandwidth based on the source and destination of packets.
For example, it would be possible to reserve 60% of the bandwidth for corporate use and designate only 20% each for IoT devices and guests.
If IoT devices start trying to use more than 20%, bandwidth shaping will usually hold traffic in a buffer and delay sending it until it can be transmitted without going over the configured speed — or drop it.
To determine if bandwidth shaping is necessary for your company, use network tests and device profiling to determine bandwidth utilization over time. Are business applications running slowly because of an increase in users? Or is slow down because of an increase of personal or other IoT devices? Does the bandwidth need to be upgraded? Or, will bandwidth shaping resolve the issue?
Keep it Visible, Keep it Safe
With 100% network visibility, companies have a better understanding of their network. The company will know how their networks are growing. They know what devices they’re supporting, and what, if any, security vulnerabilities exist.
As the number of IoT devices continues to grow, this practice will be more necessary than ever.
Implement policies for identification, protection, and traffic shaping. Your goal is to keep your network secure and optimized, no matter how many devices enter the office.