Sean Elliot, the founder of Edinburgh based managed services provider Network ROI, takes a look at the challenges that businesses face today in keeping out the hackers at bay.
Cybercrime promises to be one of the biggest threats to businesses in 2016. In fact, a recent report carried out by the National Security Council classified cybercrime as a ‘tier 1’ threat to national security, alongside terrorism and international conflict.
Hyper-connectivity has brought us closer together, delivering a multitude of commercial benefits including flexible working and productivity on the move. Introducing these incredible new technologies into the working environment also creates opportunities for a more sinister breed of modern entrepreneur, the cybercriminal.
Our task as a Managed Service Provider is to protect businesses from outside threats. We use advanced tools and software to mitigate such risks, but determined hackers will stop at nothing to get what they want.
Here are some of the online security challenges organisations may face in 2016.
The Internet of Things (IoT)
The Internet of Things consists of objects, devices and sensors that capture, store and share data, and are designed to improve quality of life for the user. The IoT is an exciting development that allows us to control parts of our home, work and leisure remotely, saving money and promoting healthier lifestyles.
Manufacturers of the devices and apps that make the IoT work are working to tight schedules in a very competitive and fast-moving market, meaning security isn’t always top of their agenda. These products should be carefully managed to reduce the risk of introducing harmful malware onto the network.
We are hearing a lot about ‘social engineering’ this year already. Put simply, social engineering is a form of manipulation used by criminals to gain access to sensitive data, user credentials and company finances.
Social engineering usually involves a phone call or email that appears to be from a colleague, often the MD seeking login credentials, bank account details or to facilitate the urgent transfer of substantial sums of money to a supplier or customer. Calls and emails will always address the individual on first name terms, and emails will usually be branded, making them difficult to spot.
Another successful tactic making headlines this year is ransomware. This type of threat typically arrives in the form of an infected email attachment (usually a Word document) that, once clicked, will shut down a user’s computer and encrypt program files, rendering the machine useless. A ransom message will then appear on the screen demanding payment in return for a decryption key.
We have seen more smart watches and fitness bands in the work environment in the early part of this year. This trend is set to continue well into the next few years as performance, adoption rates and affordability increase. Introducing more devices into the work environment creates a larger attack surface for online criminals to exploit.
Invest in your people
By far, the biggest cyber security trend we are expecting in 2016 is the role played by staff and colleagues. Human error is responsible for up to 95% of all cases of cybercrime. Invest in staff training to reduce the threat from inside your organisation. Developing HR policies such as on-boarding and off-boarding, and risk frameworks such as ISO 27001 within your business will raise awareness and improve methods of communication internally and externally to manage the risk and beat the hackers.
The Panama Papers Leak
The extraordinary leak of documents from Panama law firm Mossack Fonseca that has shone light on the tax-avoiding efforts by the world’s elite was likely the result of unpatched content management systems (CMSes).
Stories this past month drawn from the 11.5 million documents and 2.6TB of data have seen the prime minister of Iceland resign, sparked calls for the resignation of UK prime minister David Cameron, and caused significant embarrassment to hundreds of others across the world.
The information was assumed to have come from a hacked email server – and that may still be true – but increasingly the evidence points to the fact that hackers found their way into the law firm’s system through unpatched versions of the common WordPress and Drupal CMSes.
Mossack Fonseca has two main websites: its front-facing website, which runs on WordPress; and a customer portal for sharing sensitive information with customers, which runs Drupal.
Both of those sites were running outdated versions of the software and in both cases significant security holes existed that would have allowed hackers access.
The main website’s WordPress installation was three months out of date and security vulnerabilities would have allowed hackers to gain admin access on the web server. The law firm’s mail server was hosted at the same IP address as the WordPress server so in other words, hackers could have found their way into the system through Mossack Fonseca’s website and then accessed its mail server, downloading all the emails.