A 2018 study by the Ponemon Institute found that while 52 percent of organizations believe they have at least 1,000 internet of things (IoT) devices in-house, the actual study average weighed in at more than 15,000.

This begs the question: Are people really in the dark as to the number IoT devices in their lives—and does that pose a cyber security risk? The answer, in short, is yes and yes.

“I get the sense that IoT is on the forefront of people's minds, but I don't get the sense that they know the true extent to which there's these devices in their lives. I don't think they fully know all of the things that are operating around them,” said Linda Thayer, a partner at Finnegan.

Still, credit where credit is due—Thayer believes that most people are aware that their cell phones and computers can become infected by malware that can compromise sensitive data. But routine encounters with the other devices that form the backbone of a given workday may not raise the same red flags.

At a law firm, for example, Thayer said the second biggest vulnerability after phones and computers are wireless printers, which utilize encryption but could still be hacked and used to gain entrance to a network. Lawyers traveling on business aren't necessarily any safer in the outside world, either.

“They can get into a [connected] rental car and program in their phone and connect and talk while in a rental car. … You don't know what can be captured,” Thayer said.

This lack of awareness can be a significant security risk. “I think that there's going to be more and more hacks and bad results,” said Mark Radcliffe, a partner at DLA Piper. “And so as a practical matter, I think that what's going to happen is that over time people are going to become more sensitive to this. But I think it's going to take a while.”

Some of the risk the IoT poses can be boiled down to a lack of foresight. People either purchase IoT devices and neglect to update the default password to something more complex than “PASSWORD,” or connect existing machines to the internet without putting any cybersecurity measures in place.

Still, Thayer thinks that most entities, big or small, are moving in the direction of hiring full-time security managers to help mitigate risks. She noted that the practice is already common in the financial industry but is branching out into law firms as well.

The kinds of solutions those managers deploy could also face an upgrade should businesses gradually become more attuned to the risks posed by IoT devices. For Radcliffe, it all comes back to the basics. Management tools that help generate and retain complex passwords are a possibility.

“We may also shift to biometric security, which is going to be a lot more secure. That may happen and that may make it more effective, but right now I think it's a real mess,” Radcliffe said.