The IoT Security Questions You Need to Ask Before Implementing a Smart Office

Installing smart office technology can help usher businesses into a new era of operations and productivity, but it’s not without challenges. Chief among these concerns is IoT security. IoT security challenges impact everyone at the business, and the best way to tackle them is early on in the implementation process.

We sat down with Current’s own Iain Cundy, an IoT Solutions Architect, to discuss the biggest IoT security issues he sees companies facing as they launch smart office projects. With years of cyber security experience and a deep knowledge of smart devices and networks, Cundy is a valued resource for new and existing customers alike, and he was kind enough to share some of his learnings. Specifically, he recommend that organisations ask themselves these five questions before implementing an IoT project.

Who am I in this business?

Before deciding what technology to invest in or who to loop into conversations, you must ask yourself what your role is and where you’re positioned in the grand scheme of the organisation. This is critical for IoT projects, which can involve the need for private information to be protected—often in ways facility, finance or other managers may not know about.

“I think the first question they should ask themselves is, ‘Who am I in this business? What is my function linked to?’” Cundy said. “They need to make a decision very quickly as to whether they’re going to engage and involve the IT department, because there are IT elements to what we do, and their involvement in the early stages of the project would help. And it would certainly help with things like legislation, data security or even reporting.”

In situations where facilities leaders or others outside of IT are leading the charge toward a smart office, Cundy recommended engaging the IT team as early on as possible to ensure that all standards are adhered to in the right way. Similarly, if an IT leader is in charge, he or she are advised to get facilities teams on board to approve site access, understand the role of buildings and more.

What is the outcome I want?

Too often, people become sold on a gadget or function that does something but doesn’t deliver anything. Or maybe it delivers data that they are not equipped to use and apply. Cundy warned against this, advising stakeholders to start with the outcome they want and then work backwards.

Cundy said, “I think the best way to deliver a successful smart building is to decide the outcome you want as early as you can. Once you’ve done that, the technology stack essentially fills itself in.”

Deciding on the required outcome may be a more complicated process involving lots of department heads beyond technology, but it’s worth doing right and having those change-driving conversations upfront. Everyone’s opinion when it comes to the outcomes, deliverables and results varies when it comes to smart buildings, which is why it’s critical to get everyone aligned and manage the expectations around the project. “Outcome is value that will drive the project,” he continued. “If you don’t have that, you’re spending a lot of money for nothing.”

What am I going to do with the data we collect?

The outcome you’re working toward will be closely tied to the data you collect, and the IoT security measures you put in place will depend heavily on those types of data—moreso than anything else.

Cundy explained that, for now, most of the data smart building sensors are collecting is fairly innocuous, such as temperature data. A leak or hack would still have to be reported, but the information is not essential to business operations and is therefore unlikely to cause reputational damage. But as future sensor applications come to fruition, the possibility of collecting and storing personally identifiable information is real. Data security measures need to be in place for the potential risk to that information.

“Our methodology has always been that if data is in transit and could potentially be intercepted, it should always be encrypted. We’re doing that now when the data isn’t essential, so when we grow to the layer where it is important, then we’re already fully encrypted. Encrypting data in transit is something to look at as early as possible,” he said.

Cundy also mentioned the use of an air-gapped network for smart buildings. Many facilities already use this setup for operational networks such as CCTV, access controls, etc., and since these are not business functions the separation works without impeding job productivity.

“The best way to segregate things down to almost zero risk on your corporate/operational data is to completely, physically separate the network,” he explained. “That can sound big, but the truth is when we use limited cabling infrastructure and new advanced cell technology, we can be very agile in how we actually extract data.”

And while that arrangement may assuage stakeholder fears, it’s not a necessary precaution for all organisations. “If someone did want to put our products on a corporate network, I would have no security concerns,” Cundy said. “We have excellent encryption, we have the ability to deliver over-the-air updates so if we find issues with our firmware we can instantly push that update to all of our endpoints from anywhere in the world. The security risks are minimal.”

Is my staff equipped to handle an IoT implementation?

Even with a secure smart building solution planned, there are still hurdles, and a big one is making sure you have the right staff on board. This isn’t easy, as there is a serious skills gap in the world of cyber security. Almost three-quarters of respondents to a 2018 ESG survey said that a shortage in cyber skills had impacted their organisations. Effects range from increased workloads (66%) to an inability to learn new security technologies (47%). And it’s not just an issue for security—38% of respondents said they faced a problematic shortage of employees with IT architecture and planning skills. So blindly reaching out to and assigning members of your existing staff to a project probably won’t work, as they may not have the knowledge or desire to take part in an implementation.

“The biggest thing I’ve noticed is that there’s two types of people we tend to get: One, an IT person has been taken out of their team—they might have been doing server admin, network admin, whatever—and they’ve been told, ‘You’re doing IoT.’ Sometimes they can become a negative, defensive influence on the process,” Cundy said. “People who have had an experience with IoT and they think that everyone’s the same. Until they find us and see that we offer and end-to-end, sensor-to-outcome solution. Once people really understand that, a lot of their aggressive concerns about IT problems and security melt away.”

The other type of person is the opposite. “The other guy is the guy who really wants to do IoT. They have a very different energy on the job. They often want to solve an issue before thinking through the complexities of communications, data in transit, scale, APIs, SDK, all of the elements of the project. People can be really excited and want to rush towards their outcome,” Cundy explained.

These are the extreme ends of the scale, and what usually functions best for these projects is someone in the middle. Cundy said that this is where Current sits, bringing the pessimist up to be more optimistic about a project, while grounding the optimist as to the realities and responsibilities of the IoT.

What is the biggest threat to my network, and what can I do to combat it?

Cundy didn’t mince words: The biggest threat to your organisation’s security is people. This may be people acting on their own to bypass organisational policies or malicious hackers trying to fight their way in for nefarious reasons.

“Insider threats is a really hard one to educate against, to be quite honest,” Cundy shared. “Like anything, it’s constant improvement, it’s inclusiveness within the business, and it has to be taken seriously at the board level and with HR. It has to be part of the standard dataset: It’s a bank holiday Monday, the train lines are closed, you will not do this as far as data security breaches go. It’s constant education. Make people aware of the consequences of their actions—people don’t know that losing a company phone could potentially be the backdoor to their entire IT system. That could be the end of the whole company if you haven’t taken the right steps. Education is absolutely key.”

Finding the Answers

Asking these questions during the beginning stages of a smart building project can eliminate much of the IoT security challenges organisations face. But it’s more effective to have a partner who knows the space and has experience guiding people on the path to IoT.

“Everyone is in a different place with IoT,” assured Cundy. “Nobody is wrong or right, it’s just the journey they’ve been on that affects that. We need to help them see that we’ve evolved the idea and have taken away a lot of these potential pain points or reasons for concern.”

Have questions for Iain, or disagree with something he said? Connect with him on LinkedIn and let him know.