Andy Syrewicze, Technical Evangelist at Hornetsecurity, shares some cybersecurity horror stories from his experience of working in the industry – and how to avoid history repeating itself.
Cyberattacks are increasing worldwide. Last year saw a 38% rise in global attacks – and 2023 looks set to beat that unfortunate record. But how can you, as a leader, protect your organisation against hackers – to help, I’m going to share three stories about cyberattacks stemming from fairly surprising sources and how you and your business can make sure you don’t fall into the same traps.
And to start, here’s a question I often pose to the leaders I work with: Where is your business vulnerable to cybercriminals? Your servers? Computers? Wireless access points? These are all valid answers, but have you ever thought about the security of a fish tank?
I once encountered a real case where a fish tank became a potential security risk. To be precise, this fish tank, located in the lobby of a manufacturing business, was equipped with a smart lighting system, effectively turning it into an Internet of Things (IoT) device. In other words, it became yet another potential launchpad for cybercriminals – in this case, threat actors manipulated it to launch targeted ransomware attacks in that office building. This attack is not as unusual as it may sound – one major example using the very same attack type concerns a casino. This is why proper security measures must be in place across all infrastructure.
The risks of IoT devices
Most IoT devices were not originally designed with security in mind. They often lack the computational capacity for built-in security, and due to their relatively low price point, many manufacturers have limited budgets for developing and testing secure firmware during the production process.
Consequently, many of these devices come with default passwords and have short software update periods. It’s not surprising that smart products in homes, from light switches to speakers, reportedly face an estimated 12,000 hacking attempts each week, according to Which?
I’m not suggesting that IoT devices are inherently risky and should be banned from the workplace. However, if you plan to integrate such devices into your office, you must take the necessary precautions to address any potential security vulnerabilities. That begins with segregating these devices onto a separate network.
This is a step the FBI also recommends for home workers. Sharing a network between your sensitive devices and IoT gadgets is a recipe for disaster. Hackers frequently target less secure IoT devices, which can act as a bridge for infiltrating more critical targets, such as your server.
By isolating your IoT devices on an entirely separate network, you create a significant obstacle for hackers attempting to jump networks and gain access to sensitive data.
Taking care of office equipment
But not every business has an IoT fish tank, so let me share an example I learned about from a colleague of mine, this time involving a more common feature of office furniture: a video conferencing system.
In this instance, an organisation had a video conferencing system in place that, unbeknownst to them, was being used by hackers each evening and overnight to call a premium-rate number. This racked up their bill, and the hacker was collecting money via the premium-rate number. The situation was only resolved when one of the directors was staying very late one evening, saw the video conferencing system light up, and realised what was happening.
On the surface, a video conferencing system may seem like an unusual target for hackers, but this story highlights an important lesson: the potential risks associated with overlooked office equipment.
Video conferencing systems, though appearing innocuous, are intricate pieces of technology with numerous vulnerabilities that can be exploited. These platforms often integrate with other software and devices, and this interconnectivity provides hackers with entry points into an organisation’s wider tech infrastructure.
While in this case the hacker was taking money via premium-rate number, inadequately secured video conferencing systems can also result in eavesdropping on sensitive discussions, unauthorised access to corporate data, or even the introduction of malware into a network.
Industry experts must be cognisant of the multifaceted security concerns inherent in most office equipment. Robust security measures, such as end-to-end encryption, access controls, and regular software updates are imperative to mitigate risks. It’s crucial that organisations remain vigilant, as even seemingly mundane tools can serve as gateways for malicious actors in our digitally driven world.
Indeed, what both of these stories emphasise is the need for vigilance in the face of evolving cybersecurity threats. Cybercriminals are increasingly creative and relentless, and they exploit any possible vulnerabilities. It’s not just high-tech servers and complex computer systems that are at risk; seemingly innocuous devices can also be potential weak points in your network’s security armour.
Traditional tactics for hackers
But cybercriminals are still following traditional methods too. And that brings to mind my final story, shared by another colleague of mine. It involves a tactic I’m sure many of you will be unfortunately familiar with: phishing.
If you’re not, then you’re very much in the minority. An estimated 3.4 billion phishing emails are sent every day. In this scenario, an independent school’s email was hacked via a phishing email, resulting in fake invoices being sent out to parents that gave different bank account details. Their payments were not sent to the school as a result, but to a scammer.
This story underscores a crucial message that runs through all the information I’ve provided: the significance of training. It’s imperative to educate your team on recognising phishing emails and understanding the cyber vulnerabilities of IoT devices and office equipment.
Effective cybersecurity goes beyond technology, and as threats evolve, your defences must evolve with them. If you want to avoid a cybersecurity nightmare at your workplace, you must ensure you are training your employees fully on the latest tactics hackers are using, consistently seek to update any software you’re using, and carefully assess what tech you have in your office to see if you are opening any opportunities from which cybercriminals can launch an attack.