Paul Djuric from Urgent Technology explains the risks of cyber-crime involved for business owners and how to counteract them.
In November, ride-hailing company Uber revealed that a data breach had compromised the personal information of 57 million customers around the globe. It is estimated that 2.7 million users of the popular app in the UK may have been affected.
This story is one of a growing number of high-profile cyber-attacks on businesses and public organisations. Earlier in the year, a group of hackers attacked the NHS with ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid. Ominously named ‘WannaCry’, the ransomware targeted thousands of computers in hospitals and GP surgeries across the country using technology that appeared to have been stolen from the National Security Agency in the US. In this case, a message popped up on computers screens that demanded up to $600 in exchange for access to PCs. As many as 19,500 medical appointments were cancelled and five hospitals had to divert ambulances to different locations, while people were advised to seek medical care only in emergencies.
With the proliferation of new technologies, new threats to cyber-security are emerging. More people have access to sensitive data and more devices are connected to the internet than ever before. In fact, American research firm Gartner has estimated that 8.4 billion “things” will be connected by the end of this year, with one billion of those devices to be deployed in commercial buildings.
This soon-to-be megatrend, known commonly as the “Internet of Things” (IoT), has hugely positive implications for business owners and building managers. IoT is leading an evolution in smart buildings by giving organisations the power to automate facilities management processes including lighting, heating, ventilation and air conditioning, as well as lifts, escalators and security. The connected technology is not only giving organisations unprecedented control of their surroundings, such as the ability to adjust preferences for lighting and heating via mobile apps, but also access to mammoth amounts of building data that can help them make far better informed decisions about their working environments in areas like energy usage and health & safety compliance.
But this new power comes at a price. Cyber criminals now have more opportunities to steal sensitive information and breach critical infrastructure, while richer data sets are prized targets for would-be hackers.
Despite the risks, however, organisations are not doing enough to protect their buildings and processes. The Cyber Security Breaches Survey 2017 found that almost half of all UK businesses experienced at least one cyber-security attack in the past year, but a staggering two-thirds of businesses do not have basic protection. Before the WannaCry breach, 88 health trusts in England failed an on-site cyber-security assessment by NHS Digital. Yet Sir Amayas Morse, the head of the National Audit Office, said the breach represented a “relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice”.
Businesses can take a series of steps to ensure they do not meet the same fate as the NHS. First and foremost, organisations should produce a best practice cyber-security strategy in consultation with every stakeholder involved in the manufacturing, development and deployment of IoT devices and infrastructure.
A formal risk assessment should be commissioned to identify the appropriate security baseline along with the adoption of an information security standard such as ISO 27001. Once this is in place it is crucial that organisations find weaknesses in their cyber-security before attackers do. Carry out both internal and external penetration tests on the network by using “friendly hackers” – these are outside specialists that can attempt to breach your network and identify security holes.
Four years ago, Google’s Wharf 7 office in Sydney, Australia, was hacked via by two security expert researchers who were able to access the building control panel that showed the layout of water pipes on one of the floors. A malicious breach on this occasion could have led to a ransomware attack and significant damage to the building.
It is also crucial that organisations train employees to take better care of their own data and security measures. One area of considerable vulnerability is access by end users to any part of the network. Research has found that 23% of employees use the same password for different applications, and 16% work while connected to public Wi-Fi networks. Employee security training can help to educate employees of the risks and improve their working habits.
We live in an increasingly connected world – this is undeniable – but cyber-crime is one consequence of this brave new world. So it is down to organisations to ensure that they’re not only ahead of the curve when it comes to workplace technologies but also one step ahead of the cyber criminals.