Paul Ducklin, Principal Research Scientist at Sophos, offers some tips for keeping IoT devices and other connected computers secure at home – especially if you are working from home as well.
There are seven questions you should ask yourself about devices on your home network, and about the setup of your network in general. Think of it as going through your very own Cybersecurity Awareness Month at home:
- Do I actually need this device online? If not, consider removing it from your network. Or if you don’t need it listening in or activated all the time, consider powering it down when you aren’t using it. (Simply unplugging it from the wall socket is often all you need to do.)
- Do I know how to update it? If not, find out how; if the vendor can’t reassure you about security updates, consider switching products to a vendor that does (and see step 1).
- Do I know how to configure it? Make sure you know what security settings are available, what they are for, and how to set them up (and see step 2).
- Have I changed any risky default settings? Many IoT devices come with remote troubleshooting features turned on, which crooks may be able to abuse, and default passwords, which the crooks will definitely know. Check and change defaults before you make the device live (and see step 3)
- How much am I sharing? If the device is hooked up to an online service, familiarise yourself with how much data the device is sharing, and how often. You may be happy to share some data, but never feel squeezed into turning all the options “to the max” (and see steps 3 and 4).
- Can I “divide and conquer” my network? Some home routers let you split your Wi-Fi into two networks that can be managed separately. This is useful if you are working from home because it means you can put your home IoT devices on a “guest” network and your work devices such as a laptop on another.
- Do I know whom to turn to if there’s a problem? If your work has an IT department or offers access to tech support, make sure you know where to report anything suspicious. Ask them what information they are likely to need and provide it at the outset, in order to speed up the process.
By the way, if you’re an IT department looking after remote workers, make it easy for your less-technical colleagues to reach out for cybersecurity advice, or to report suspicious activity, and take the attitude that there’s no such thing as a stupid question.