4 steps for creating a company IoT policy

By Don Jones

From the home to the office and everywhere in between, Internet of Things (IoT) devices have never been more visible. Watches, light bulbs, thermostats, door locks, faucets, cameras and more are being connected to the internet at an increasing pace, resulting in more and more threats to private information—a problem that your company should quickly set guidelines around.

Consider devices like smart speakers in the office, which may as well have eyes and ears recording every conversation in the room; Once IoT devices are hacked, they are an open window into your office.

Here’s an easy breakdown of four initial steps to take to make sure your IoT strategy keeps your office as secure as it is smart.

1. Get clear on the problem

IoT devices usually make their WiFi connections—and do all of their internal computing—using very tiny chipsets, many of which are custom-made for the specific device they’re in. Like any good computing device, those mentioned above and more run firmware, which is software built right into the chipset. That firmware might let a light bulb report its imminent failure to your facilities team, let a coffee machine tell someone their brew is ready. The convenience afforded by IoT is undeniable.

But so is the potential for risk. In an alternate scenario, that mighty firmware may serve as a launching point for a botnet inside your organization’s network. Take inventory of all the things that may be plugged into your network. The length of your list may surprise you.

2. Fully understand Service Level Agreements (SLAs)

The problem with IoT devices is that they’re rarely made by traditional computing companies  like Microsoft, Cisco, Dell and so on. Instead, they’re commonly made by companies more accustomed to consumer electronics. And consumer electronics change often — sometimes multiple times per year.

Old electronics were relatively safe to simply abandon. Nobody was worried about whether or not last year’s immersion blender is still “current” so long as it worked, right? Now, abandoning electronics equipped with computer smarts a security risk — a concern magnified by the fact that these consumer electronics companies are new to this level of computing, meaning they’re more likely to make rookie errors in their firmware code.

With any new smart device acquisition, the organization should document its firmware update procedures, and have a Service Level Agreement (SLA) in place from the manufacturer about how often the device will be updated, and how long after a vulnerability is discovered will a patch be available. At a minimum, you should know how long the vendor is committed to providing firmware updates.

3. Consider all IoT devices

Your IoT policy doesn’t just need to address the electronics the organization formally brings into the environment, although that’s an important first step. It also needs to address smart devices brought in by your employees, like fitness trackers. If these devices connect to WiFi, have a policy in place — initially, to disallow them, until you can come up with a plan to ensure they don’t become a threat on the network.

Keep in mind that many smart devices can be configured by your users’ mobile phones that are already on your network, meaning the phone can in many cases “pass along” users’ network credentials to the device. That means you may not even be aware of IoT devices until it’s too late — which means now is the time to communicate a company policy to employees.

4. Think beyond smart devices

Simply focusing on smart devices like those mentioned above isn’t enough. Any device capable of running software could become problematic if that software is transmitting intelligence about your corporate network. An employee could use their cell phone to run an innocent-seeming Internet speed test, for example, and end up sharing details about your internal network architecture that you’re rather keep private. Time-tracking apps could reveal details about when your office is staffed and when it’s empty, helping attackers seeking to gain physical access.


An overall “devices policy” is in order, with thorough employee education on how to protect not only their own privacy, but the privacy of the organization.

For better or for worse, today’s devices have more than enough computing power and onboard memory to serve as a launching point for a primitive botnet, or even to just acquire intelligence about your network and relay it to would-be attackers. No matter who brings these devices into the office, they do present a risk that your team needs to consider and make some “smart policies” around.

About the author

Don Jones' broad IT experience comes from 20 years in the business, with a strong focus on Microsoft server technologies. He's the author of more than 45 technology books, including titles on administration and software development, and writes monthly columns for the industry's leading periodicals. He's an in-demand speaker at technical conferences and symposia worldwide, and is widely recognized as one of the top trainers in the Microsoft sector.