Securing Home Workers: Tackling the IoT Threat Landscape

Greg Day of Palo Alto Networks

With the boundaries between office and home blurring, corporate and personal IoT devices increasingly overlap—creating fresh cybersecurity challenges that demand a collective response from businesses and home workers alike, explains Greg Day, VP and CSO EMEA at Palo Alto Networks.

Non‑business IoT flooding onto business networks

The surge in remote and hybrid work has caused consumer IoT gadgets to slip onto corporate networks more frequently. Our two‑year IoT security study, spanning 18 countries across EMEA, APAC, and the Americas, tracks this trend.

The 2021 study found that 78 % of IT leaders worldwide—whose organizations already host IoT devices—reported a rise in non‑business IoT connections via remote workers over the past year. In the U.S., the figure climbs to 84 %.

The devices themselves are diverse. The most frequently reported non‑business IoT gadgets are wearable medical monitors, followed by smart lightbulbs, connected gym equipment, coffee makers, gaming consoles, and even pet feeders. The trend reflects the simultaneous boom in smart‑home kits and health‑and‑fitness wearables fueled by WFH habits.

Cybersecurity flaws and threats

Although the array of devices may seem quirky, they pose a serious threat: a single vulnerable gadget can become an attack vector. Many consumer IoT products lack robust security—often costing under $100 (€88.59)—and are built without the rigorous coding standards of enterprise software, leading to slow patches and long‑standing vulnerabilities.

Unit 42, Palo Alto Networks’ threat‑intelligence unit, has documented attacks that exploit home‑office IoT vulnerabilities. In February 2021, a Mirai‑variant targeted security flaws across many consumer devices. More alarmingly, recent evidence shows ransomware groups deploying the eCh0raix strain to target home workers’ NAS devices. The strategy appears to use compromised personal gadgets as footholds for supply‑chain attacks on large enterprises, where the potential ransom payoff is substantial.

The study confirms that consumer IoT is a significant risk for enterprises. Across the globe, 81 % of IT leaders whose networks host IoT devices cited the pandemic‑driven shift to remote work as heightening exposure to unsecured devices. In 78 % of those cases, the heightened risk manifested as a rise in IoT‑related security incidents.

With remote work and IoT proliferation set to persist, pressure mounts to strengthen IoT defenses. Our global survey revealed that 96 % of respondents in 2021—and 95 % in 2020—felt their organization’s IoT security strategy needed enhancement, and 25 % advocated for a full overhaul.

How WFH workers can help

Effective mitigation requires a three‑tier strategy that begins at home.

Organizations must educate and mandate remote staff to elevate home cyber hygiene, beginning with router configuration. Key actions include updating default settings, enabling WPA3 Personal (or WPA2 Personal if unavailable), and auditing connected devices—disabling those unused.

Additionally, remote workers should exploit the micro‑segmentation capability common in router firmware to create distinct networks—separating guests and IoT devices from corporate traffic.

Segmentation remains essential for both corporate and home environments. The survey shows 51 % of IT leaders with IoT devices report separating them onto dedicated networks distinct from core business systems such as HR, email, or finance. Yet one in five leaders confess that their IoT devices share the same network as critical business applications, and in the UK, this shortfall reaches one in three—indicating no segmentation.

Finally, companies should abandon the hub‑and‑spoke model that funnels all traffic through a single VPN. In today’s heterogeneous connectivity landscape, a one‑size‑fits‑all approach fails. Users frequently toggle VPNs off to access essential services like video conferencing. Edge‑based, context‑aware security can provide seamless protection without disrupting workflow, removing the incentive to disable safeguards.

Applying zero trust

Robust IoT protection also hinges on internal controls that prevent rogue devices from joining the corporate network.

Implementing least‑privilege access policies ensures that only verified devices and users can connect. Zero‑Trust frameworks help prevent data exposure and safeguard business continuity by continuously verifying each device’s trustworthiness.

Real‑time monitoring is essential for IoT security. It provides an up‑to‑date inventory—including unseen and forgotten devices—allowing organizations to leverage existing firewall capabilities to auto‑recommend and enforce risk‑based policies. A consolidated solution can extend corporate security to remote workers, delivering unified policy management and Secure Access Service Edge (SASE) for context‑aware protection.

Don’t wait for a legal solution

While upcoming regulations aim to compel manufacturers to embed stronger security, EU and UK laws remain nascent and will take years to take effect. The responsibility for robust IoT defenses ultimately falls on employees and their organizations.

Given IoT’s central role in modern work and life, organizations must evolve from reactive to proactive cybersecurity—embedding cyber hygiene across all levels, from the C‑suite to every employee. Such a culture encourages investment in preventive practices that deter attacks and mitigate damage from even seemingly innocuous devices.

—Greg Day, VP and CSO EMEA, Palo Alto Networks.