The Internet of Things is Complicating IT Asset Management and Destruction

The definition of IoT has become familiar to many, but just in case it’s not to you, Wikipedia defines IoT as:

 “The Internet of things describes the network of physical objects—a.k.a. “things”—that are embedded with sensors, software, and other technologies to connect and exchange data with other devices and systems over the Internet.” ¹

Most are familiar with this technology in their personal lives. IoT devices make life more convenient, efficient, and fun. But for the reasons we cover in this post, the management of IoT in organizations is like charting rough seas.

With the combination of ever-evolving technologies, smart devices, and remote work, we believe it’s time to revisit and enhance not just your remote work policies but time to make sure things like Acceptable Use and IT Asset Management policies have been updated to include IoT compliance. 

Smart devices now include smart mobiles, smartwatches, smart fire alarms,HVAC systems, smart door locks, fitness trackers, intelligent security systems, and personal assistant devices like Alexa and Siri. While you may think that they have nothing to do with your business, you may be overlooking some critical aspects of the new business environment.

While you may have hard-working, savvy employees – that in turn may be the threat. Remote employees are taking advantage of setting up smart home offices and enjoying Alexa in the background during Zoom calls and business meetings. Safe? Probably. But what threats do exist?

1. Alexa does record your private conversations at home, and you can play them back. That means she is storing them somewhere. While Amazon will tell you that the actual data is not stored on the device itself, actions taken have shown that the Amazon Echo Dot itself holds logs. So, depending on the type of business and the conversations going on, you will want to include policies against these devices being nearby or in-home offices or ensure that conversations are scrubbed in the app and devices (potentially being) added to your destruction policy at the end of their life.
2. Many smart devices are flawed when it comes to privacy. In one such article, we read all about it. They reveal that “findings show how smart devices can introduce unintended privacy vulnerabilities beyond even what the manufacturers realize. In one case, a smartwatch had profound “privacy implications, as an app that is camouflaged as a pedometer, for example, could gather data from emails, search queries, and other confidential documents,” the researchers found.²  It’s prudent for employers that are allowing remote work to begin asking about the smart devices in their employees’ homes as part of their ITAM and ITAD policies. While some may consider asking an invasion of privacy, it really should be part of the security requirements for those allowed to work remotely. Of course, the risk rises with the type of work your employees perform. Consider adding the topic of IoT to your Security Awareness Training program.
3. Hackers are practicing with just about anyone. According to toolbox.com, your refrigerator could indeed be spying on you. A hacker can compromise a smart fridge and quickly move to a smart TV, baby monitor, security system, thermostat, gaming system, tablets, smartphone, and computer. Nothing is off-limits once they are in. This means that you do need to ask the right questions, as mentioned above. And you may need to deploy a team to be sure that home offices are set up correctly. It is frustration in processes like complex authentication that can be the source of breaches. Even the most well-intentioned employee can think that the trouble isn’t worth the risk. Understanding what can happen and having a team available to deploy to work with remote workers in their home offices, when necessary, is the answer to understanding the devices and potential security risks in an employee’s home. 
4. Household members themselves are a connection point. While this may seem funny, many teenagers in basements know way more about technology than their parents working two floors above. While you may not be aware of it, your child’s Xbox Live account poses several security risks. But does it store data? Your issue isn’t the need to destroy devices like Xbox because they pose a data storage risk; it’s more to understand how they are secured on the home network regarding access to hackers. It’s also critical to understand your child’s setup and what they are doing. In 2020, Vox published an article informing readers that they are recorded more than they think. And kids and adult children are often the ones first bringing smart devices into homes. And these devices are listening, sometimes on purpose but sometimes by accident. The article shared,

“Devices were usually activated when a member of the household spoke a word similar to the trigger word, for example, “I can work” instead of “OK Google,” “congresswoman” instead of “Alexa,” “he clearly” instead of “Siri,” and “Colorado” instead of “Cortana.” While some speakers were better than others, they were all prone to accidental activations.³  The Apple and Microsoft devices are activated more often than the others.”

The point? If you have work conversations in offices nearby or the same room with others using technology, you could be recorded. So while the risk may be low, there is an upward curve of potential dangers as these devices begin to take over homes. 

The ITAM and ITAD RISKS can typically be lumped into the following three categories:

1. Improper home network setup
2. Data stored on unknown devices or servers
3. Unsuspected devices being part of the work process (unknown printers, etc.) 

Let’s not forget that printers with non-volatile memory do live in our remote employees’ homes. If employees have confidential documents that they happen to print, non-volatile or stored memory is what you need to worry about. And many people have a paper tray in their printer where they use the blank flipside of unwanted documents to conserve paper. When family members print from the same printer, are they seeing confidential or regulated information on the back of their documents? When the printer is discarded, have the paper trays been emptied?

In some cases (like the printer), the data is stored on the device, and in most cases (like Alexa), it’s stored on a server somewhere. Regardless, the responsibility of requiring deletion is on the employer and the employee (if requirements are adequately spelled out).

So, in the IoT, the best bet for improving security is to start somewhere. We recommend you begin with a survey of home office equipment and smart devices. It’s impossible to secure what you don’t know about. Update your remote employee processes, and look at all your policies for necessary updates. The extent to which that will impact your ITAM And ITAD processes will depend on your employees’ answers.

This can all seem overwhelming to already over-tasked business owners and IT professionals. To talk to our Certified Secure Destruction Specialists, go to https://reclamere.com/contact-us/. 

¹ Internet of things (IoT) – Magical Solutions Custom …. https://magicalsolutions.in/internet-of-things-iot/ and Wikepedia
² https://www.inverse.com/article/14641-what-data-sleeps-in-your-smartwatch
³ Alexa, Siri, and Google Home record you more often than …. https://www.vox.com/recode/2020/2/21/21032140/alexa-amazon-google-home-siri-apple-microsoft-cortana-recording