It’s a parent’s nightmare for the 21st century. As The New York Times and others reported, a hacker harassed a child through a Mississippi family’s security camera set up in her bedroom. In Florida, hackers harassed a couple in their own home until they pulled the batteries out of their Ring camera.
Internet of Thing devices – like smart toasters or even toilets – are often found to be easily hacked. But the risk is not just for homeowners and consumers – it’s real for businesses as well. As small and medium-sized business increasingly rely on smart devices in order to do business in the Internet-enabled world, these kinds of vulnerabilities can have serious implications.
In fact, a report from the security company Gemalto found that 48% of companies that use IoT devices in the workplace don’t have mechanisms in place to detect if any of their devices have been compromised. As the number of connected devices grows (the report found that the world is on track to deploy 20 billion IoT devices by 2023) hacking networked devices becomes a serious and immediate threat.
You Are the Threat
The hackers who hijack a cloud-based service are obviously the criminal element, but the real culprit behind these attacks is often the end user. The uncomfortable truth is that the end user is often to blame for not using safe password practices to protect themselves and the services they use. Too often, device owners or users didn’t use strong passwords or a password manager to control and protect access to their networked devices.
The other issue is that once an individual or organization is compromised, poor password practices mean criminals can probably access all your devices and accounts, as most people are prone to reusing the same password combinations over and over. As soon as your email address and password are compromised and put on the Dark Web, it's impossible to recover it or prevent its reuse.
What You Can Do
Businesses are vulnerable to these threats which can do irreparable damage to brand reputation, finances, legal action and employee trust. However, they can be mitigated in a straightforward approach:
Work with your MSP and vCIO to ensure:
- Dark Web monitoring is in place
- Employees are provided regular security awareness training as part of an organizational policy
- Use multi-factor authentication (MFA) on every cloud-based system that can support it
- Upgrade your security software to include Endpoint Detection and Response (EDR)
One practice every organization needs to embrace is MFA, or multi-factor authentication. Most cloud systems have this feature built in, but many organizations fail to use it.
Multi-factor authentication is a feature that requires you to have more than just your username and password to log in to an account. After you enter your username and password it also requires a second piece of information – like a one-time code texted to your phone.
Breaches generally happen when a hacker gets hold of an employee’s credentials and hacks into a device or system. If a company requires MFA, the hacker would enter the stolen username and password and then would be asked for a second form of authentication. This would trigger an alert to be sent to the actual user’s phone or email asking them to authenticate. Since the hacker would not have access to that second piece of information, they would not have be able to log in and the breach could possibly be prevented.
We recommend organizations deploy endpoint detection and response solutions (EDR) and System and Organization Controls (
EDR empowers an IT team to identify malicious activity among normal user behavior. By collecting behavioral data and sending it to a central database for analysis and applying analytic tools, EDR solutions are able to identify patterns and detect anomalies. These can then be submitted for further investigation or remediation. SOC reports can help an organization identify risks and take actions to prevent attacks.
For any business today, the real question is “what’s my risk?” and “how much risk am I willing to take on?” There’s a business decision to make and clients need a vCIO to help them identify the risk and determine the investment needed. Reach out to Elevity today for a free cybersecurity risk review.
