WHEN WORKERS were sent home at the start of the coronavirus lockdown, few companies had a plan to provide secure remote tools. Fewer still had a way to examine and secure home networks littered with Internet of Things devices like video doorbells, smart assistants, bathroom scales, and more that could ride the company VPN back to HQ. Now that work from home may continue indefinitely, managed service providers need to start including IoT under their security umbrella.
How many home-based workers have some type of IoT on their network? “I’d say all of them,” suggests Cary Wagner, technical operations director and CEO of Pacific NorthWest I.T. Services in Coeur d’Alene, Idaho.
A big challenge is that there’s no strict standard of security across all the different IoT manufacturers, explains John Hammond, senior security researcher at security services firm Huntress Labs. Every Google Nest Mini or Amazon Alexa is an attack vector, and that doesn’t include items you might overlook, such as a garage door opener you can control with your phone.
“Since you can’t control IoT devices with a mouse and keyboard, some sort of remote access to manage and configure the devices is needed,” Hammond says, adding that those admin portals are well known to hackers.
Another challenge is getting businesses to shore up their workers’ home networks. “We have 150 clients, and I can count on one hand the number who asked us to configure an employee’s home network,”” says Al Alper, CEO of Absolute Logic, a managed service provider in Wilton, Conn. “For the three or four who asked, we changed default usernames and passwords on home routers, set up a guest Wi-Fi network for all the IoT devices, and added endpoint security software everywhere possible.” This approach is more affordable for home use than a firewall with unified threat management (UTM), which is more appropriate for the corporate network.
Alper says it’s possible to reset usernames and passwords on existing home networks remotely, so MSPs don’t always have to send a technician to the home. He likes to add a Sophos RED (Remote Ethernet Device) to the firewall at the company’s headquarters to provide UTM to the home network. He’s also seen a marked increase in remote desktops over Windows Virtual Desktop on Azure.
MSPs should convey to their customers that securing a home network doesn’t require a “rip and replace,”” Alper adds.
Wagner’s first security fix for home IoT is “to get a firewall, and configure it to deny all, and only open up what you need.”
Hammond suggests MSPs have a policy to check and install new firmware, patches, and hotfixes to all the IoT devices possible. “Of course, the ‘security basics’ never die, so check for hardcoded or default credentials set on the remote access modules of IoT devices.”
MMR Opportunity
MSPs and integrators can turn home network security into MRR in many cases. Alper, for instance, bundles any new equipment customers need with setup services and bills for ongoing management per home user monthly. “If they need to upsize the HQ firewall, you’re in the black from the jump,” he adds.
Mike Jack, senior manager of product marketing at telcom company Spirent Communications, suggests channel pros can offer services that help companies enforce at-home IT device strategies. “”Work with IT organizations to put better rule sets in place to segment remote users from corporate assets,” he explains.
Training and education can be part of the solution as well, says Wagner. “You can’t treat them like your worst enemy but their best friend if you want to get them to change. Human beings are our own worst enemy.”
Finally, Alper points out that “users in the office don’t think about network security, and it’s more of the same when they go home.” Therefore, having a plan in place that includes WFH security instructions, hands-on and remote configuration and monitoring services, IoT security practices, and affordable equipment upgrades where needed can keep users just as obliviously safe at home as they are at work.
Image: iStock