Tim Nottoli, Walsh Construction’s chief information officer, has seen Google’s Nest and Amazon’s Ring cameras brought onto the company’s construction sites and has dealt with every type of sensor used properly and improperly on the company’s network. But recently, he uncovered a network vulnerability inside a construction trailer that wasn’t connected to any computer system he’d encountered before.

“We actually had somebody plug in a coffee maker that was broadcasting to the internet,” Nottoli says. “The vendor they were buying it from wanted to be able to let it call home to tell them that they are running low on beans and supplies. I’m not joking, it was a vendor with a coffee maker talking to the internet.” The vendor set up the coffee maker to use Walsh’s guest network to connect online, and hadn’t thought to mention it to anyone in the IT department.

The security of IoT devices and their uneven implementation is a major stumbling block to deploying IoT initiatives for contractors. While contractors are increasingly adopting IoT devices to improve productivity, efficiency and safety, they must balance all of those rollouts with the potential of adding vulnerabilities to their network. Policing unapproved devices added on construction sites, such as Walsh’s coffee maker, takes up IT staff time and energy and keeps them from working on secure implementations.

“With humans you have to interact, you might have to explain something [like phishing],” says Jayson Street, vice president of Information Security at SphereNY, a network security firm that finds vulnerabilities via “white-hat hacking,” done to improve security. “A lot of these devices, though, they’re armed by default, or there’s no security baked into them at all or very easily crackable security.” Read On: