Sergey Nivens - Fotolia

What security is needed for digital assistant devices?

How should cybersecurity-enforcement efforts adapt as digital assistant devices become more pervasive in business enterprise networking to safeguard corporate data?

Digital assistant devices, such as Amazon's Alexa or Echo, Apple HomeKit and Google Home, have already become part of connected homes. Now, the new Alexa for Business Platform is set to bring this technology into the heart of the office. The integration of machine learning and voice-activated digital assistants will undoubtedly transform business operations.

In the near future, digital assistants will help with all kinds of mundane work tasks -- from setting up conference calls to replenishing office supplies. While digital assistants are all very convenient, will using them be at the expense of our privacy and security?

The majority of these digital assistants use voice recognition technology as their primary interface, which means they are always listening, even when they are not in use. With hacker activity and state-sponsored surveillance also on the rise, will digital assistants become the proverbial Trojan horse that allows attackers to sneak past our defenses unnoticed?  

According to a recent study on the digital workplace from Dimension Data, 62% of organizations expect virtual assistants to have a place in their companies within the next two years. Early workplace applications for digital assistant devices are focused on making simple administrative tasks more productive and efficient. For example, the machines can synchronize with schedules and to-do lists to provide verbal reminders of assignments or events.

Voice activation allows users to initiate or join conference calls, while the device itself can double up either as a speaker or controller of more sophisticated conference-call equipment. They could also be used to find an available meeting room, order stationery items, request IT support or help with on-the-job training.

Boon or bug: Digital assistant security concerns

Ironically, the very strengths of digital assistants as smart communication devices are also their Achilles' heel. To a hacker, a digital assistant is a handy listening device that could be used to eavesdrop on confidential company conversations.  

Businesses already under siege from phishing scams and hoax messages -- like fake CEO emails -- are understandably suspicious of digital assistants. There's a risk, for example, that hackers might hijack these gadgets for clues, making their scams more convincing. Such lingering security concerns cause executives to wonder if digital assistants are simply a new way for outsiders to target sensitive data or penetrate a system's security.

In the current climate of increased business regulation and tougher fines for noncompliance, organizations are nervous about introducing any new device that could lead to a data breach. Protection against cyberattacks is a major hurdle that digital assistants must pass if they are to gain the trust of business owners and widespread acceptance in the workplace.

Privacy of digital assistants

Cybercriminals are not the only concern.

Without proper built-in security, the privacy of digital assistants may be susceptible to voice identification techniques practiced by state surveillance programs, such as the National Security Agency's PRISM in the United States, Broad Oak in the U.K.'s Government Communications Headquarters or the EU's Interpol Speaker Identification Integrated Project. China is also thought to have a similar program capable of positively identifying many hundreds of thousands of Chinese citizens by the sound of their voice alone.

Privacy groups like the Electronic Frontier Foundation and Freedom of the Press Foundation are lobbying for greater restraint of state powers. Yet, there is no indication that this will happen anytime soon. The only alternative is for Amazon and other device manufacturers to collect and store voice data so it remains anonymous.

Mitigating security and privacy concerns

Researchers are working to help these devices surmount the security challenges. Scientists at MIT, for example, are looking into the development of digital assistants that no longer require a web connection to process AI-related tasks, like voice recognition.

Fortunately, digital assistants are just like any other IP-connected device from the internet of things. The manufacturer of the device and the service in the background needs to ensure they can only communicate data via end-to-end encryption technologies, such as a VPN.

End-to-end encryption protects data in transit, and in storage, by scrambling it to make the content indecipherable. Only the sender and legitimate recipient of the message possess the unique keys to make the information legible. 

Vendors should implement end-to-end encryption and centrally managed VPNs to allow the device to be authenticated, updated and managed remotely from a central point.

A centrally managed VPN allows IT administrators to access, authenticate and maintain digital assistants remotely. It also allows them to monitor the device and alerts them to any attempts at unauthorized interference.

Because all digital assistant devices, as of right now, communicate to a cloud service in the background, the actual data stream is unknown to your enterprise. Separating these devices from your internal network is key. If you can't control them, restrict them. Only allow these devices to talk to their servers -- no other network resources. This will mitigate the risk of a compromised digital assistant attacking your own network.

In summary, we will soon become accustomed to digital assistant devices making our daily lives easier in the office, helping us to keep appointments on time, schedule calls and restock supplies -- all without out ever having to lift a finger. Without appropriate security, however, it could also be the source of an embarrassing data breach. 

Vendors should implement end-to-end encryption and centrally managed VPNs to allow the device to be authenticated, updated and managed remotely from a central point, helping companies to shield sensitive information from cybercriminals and state-sponsored surveillance. Enterprises, customers and users should also restrict the network access of these devices to a minimum.

Dig Deeper on Network security