Exactly. And a lot of these devices have either default or hardcoded passwords, and so, if they are reachable, they might be an attacker’s entry point – they may or may not be software-updateable, so we have recommendations in [our checklist] like, if you’re looking at it from the very beginning, you should set up some policies and rules for employees about what they can bring in and what characteristics it should have.
The danger, and this is the same as the BYOD thing, is that if you’re too restrictive, you end up creating an under-the-table – they used to call it “shadow IT,” you can probably call this “shadow IoT” if you want – you can create that kind of thing where people say “I’m still gonna bring it in, but now it’s really gonna be under the radar,” as opposed to doing it with eyes wide open so you kinda know what you’re getting into.
We recommend setting up a separate network for those devices. Most companies set up a guest network for Wi-Fi, so why not have an IoT-specific network, or why not have them on your guest network also? It depends on the company, and how they want to organize things.