Not so long ago, the phrase \u201cconsumerization of IT\u201d was on everyone\u2019s lips. Whole publications and conferences (remember CITE, for Consumerization of IT in the Enterprise?) were created to chronicle the trend of corporations relying on products and services originally created for consumers \u2014 which was often easier to use and of higher quality than its business-oriented competitors.\nWell, no one talks much about the consumerization of IT anymore\u2026 not because the trend went away, but because consumer tech has now permeated every aspect of business technology. Today, it\u2019s just how things work \u2014 and if you ask me, that\u2019s a good thing.\n\nThe consumerization of enterprise IoT\nBut now, in 2018, a variation of the concept is returning in the world of IoT, and it\u2019s raising many of the same concerns around reliability and, especially, security.\nIt turns out that in addition to the \u201centerprise grade\u201d Internet of Things (IoT) devices they buy, corporate IT teams also have to deal with \u201cconsumer-grade\u201d devices that may enter the company via a variety of channels, from non-IT company purchases to staff members bringing them in on their own. Examples include smart TVs, thermostats, smart speakers, fitness trackers, video cameras \u2026 basically anything connected to the company network that isn\u2019t a computer, a phone, or a router.\nNot surprisingly, these devices often lack the comprehensive security features more commonly found on IoT products designed for enterprise use.\nWorse, perhaps, IT teams may not even be aware that these devices are being connected to their networks, much less be able to plan for their security.\nOnline Trust Alliance IoT device checklist\nTo help enterprises cope with these new vulnerabilities, the Online Trust Alliance, now an Internet Society initiative, has developed a checklist for dealing with these \u201cconsumerization of IoT\u201d devices in enterprise environments.\nThe OTA warns:\n\nMany have a simple or non-existent user interface, default (or hardcoded) passwords, open hardware and software ports, limited local password protection, lack the ability to be updated, \u201cphone home\u201d frequently, collect more data than expected and use insecure backend services.\nThe consequences of using these devices range from unauthorized access to other enterprise systems, to surveillance via audio, video and data, to use of those devices to attack other connected devices or services.\n\nAccording to the OTA, enterprises must \u201cfully consider the possible risks introduced by these devices, understand that IoT devices are likely more vulnerable than traditional IT devices, educate users on IoT device risks, and strike a balance between controlling IoT devices vs. creating \u201cshadow IoT.\u201d (That\u2019s another buzz phrase that you don\u2019t hear as much about these days.)\nKey IoT security checklist items\nDoing all that is hardly trivial, so while you can download a PDF of the entire checklist here, it\u2019s worth calling out some of the key best practices. In addition to fairly obvious ones, such as products with hard-coded passwords, the checklist includes more-substantive advice:\n\nRelegate IoT devices to a \u201cseparate, firewalled, monitored network,\u201d just as you would in guest networks. \u201cThis allows you to restrict incoming traffic, prevent crossover to your core network, and profile traffic to identify anomalies.\u201d\nTurn off stuff that\u2019s not being used. That may seem obvious, but the checklist also recommends the \u201cphysical blocking\/covering of ports, cameras, and microphones.\u201d\nEnsure that people can\u2019t physically access these IoT devices to reset the passwords, etc.\nEnable encryption whenever possible, and consider allowing only devices that support encryption to connect to your networks. If that\u2019s not possible, \u201cconsider using a VPN or other means to limit data exposure.\u201d\nKeep firmware and software updated (via automatic updates or monthly checks). Avoid products that cannot be updated, follow the lifecycle of all devices, and remove them from service when they are no longer updatable or secure.\n\nIoT security continues to evolve, and checking off every item on the OTA list won\u2019t provide complete protection. But these are straightforward best practices that can help mitigate the risk. Ignore them at your peril.