October is Cyber security Awareness Month – a collaborative effort between the government and industry designed to ensure that all businesses have the knowledge and resources they need to stay safe.
Cyber security is becoming a bigger concern for businesses, but a huge majority of businesses aren’t taking it seriously enough. That’s why we’re getting involved to help spread the word. This article will provide three ways to improve your business’s cyber security.
4 ways to improve your business’s cyber security
1) Keep your business technology up-to-date
This is particularly important with Building Management Systems. These systems often have central computers (head-ends) that run complex software and strategies that control our buildings. It’s vital that these computers are kept up-to-date with the latest software updates from not just BMS vendors, but from OS providers, like Microsoft. In recent years, Microsoft have stopped supporting popular operating systems like Windows XP, Windows 7, and Windows Server 2008 R2 which adds further complexity. If you’re worried this might affect you, Microsoft publish some in-depth guidance on end-of-life dates, which can be viewed here. For more specific BMS lifecycle details, you can contact a BMS System Integrator, such as Aimteq or Comfort Controls, or you can contact the manufacturer directly.
2) Ensure that access is granted only to limited staff
Whether you’re managing your building technology with your own staff or via external contractors, such as a Facilities Management business or a BMS Systems Integrator, it’s important to keep track of who has access to what systems and what data.
If building technology systems are part of an internal network, they can potentially be used against you as part of ransomware attacks. These attacks are often sophisticated and sustained and are run by unscrupulous individuals or groups, with the aim of extorting money from you. They normally do this in a couple of ways – by holding your systems at ransom, or holding your (or your customers’) data to ransom. When it’s system-based, they will often lock you out, and will only provide access once you’ve paid the amount requested. The data ransom is worked in one of two ways; they either threaten to release your, or your customer data onto the web, or they threaten to delete vital data from your business systems.
Whilst the data within your building systems might not contain particularly sensitive data, an attacker could make your environment incredibly inhospitable for staff and customers. For example, an attacker could make the temperature unbearable, turn off the lights during the evening, or disable critical alarms – there are many creative things that could be done to adversely affect your buildings and the occupants. But, that’s not necessarily the biggest worry. If access isn’t controlled and systems aren’t kept updated, many web-enabled systems can act as entry points for these individuals and groups, places where they can initially enter a network, then continue to level-up throughout the organisation. It’s not just complex systems either; in 2017 a casino was hacked using an internet connected thermometer in a fish tank. Once in the network, they managed to access the high-roller database of gamblers and then pulled it back across the network, out the thermostat, and up to the cloud.
It’s a scary prospect, so it’s important that you control access, preferably as tightly as possible using role-based permissions for different functions across your business.
3) Encourage the use of strong passwords and implement role-based access
Arghhhh, another password. We’ve all been there. We’ve got more passwords than we can shake a stick at. For years, there’s been guidance to use special characters, capital letters, numbers…and the guidance hasn’t always been consistent. Unfortunately, forcing these policies upon us means we’re more likely to engage in unsecure behaviour – saving them to a plain text file on a desktop, in an Excel spreadsheet, or even writing them down on a sticky note.
Thankfully, it seems this password advice may now be changing. Recent guidance suggests it is better to avoid shorter, more complex passwords. The overall determining factor of password entropy (how easy they are to crack) at this moment in time is password length. It’s still suggested that you utilise an alphanumeric sequence and mix upper and lowercase letters, but the best advice I’ve heard regarding password selection recently is to pick three words and form a password from them, aiming for a single password that has a minimum length of 12 characters, preferably increasing to 16. If we choose three words as suggested, that’s much more manageable and memorable than an overly complex string of letters, characters and numbers. For example, I could choose the words Mouse, Kettle and Table and introduce capitals and numbers to make: m0useKett1etabl3.
Passwords aren’t good enough by themselves though. How we distribute access needs attention. For example, it’s simply too insecure to email usernames and passwords to new users these days. Emails are often sent in plain text and can be easily intercepted. Likewise, when staff leave, access needs to be rescinded immediately. In short, if you’ve still got systems where you’re passing around single sets of credentials amongst staff (for admin access, for example), stop and think about how you might secure your systems to a better extent.
4) Implement multi-factor authentication
Multi-factor Authentication (MFA) or Two-Factor Authentication (2FA) as it is sometimes called, is an important tool in a user’s arsenal to fend off phishing or ransomware attacks.
Normal one-factor authentication relies on a ‘knowledge’ element, i.e. you knowing the username and password to access a given system. MFA adds a new element – the element of ‘possession’, which means it’s no longer enough to just know something (the password), you need to have something, too. This often means a mobile phone that has a code generator or receives a specific code via text message.
MFA can go even further if you need it to, by providing a ‘something you are’ element, which includes biometric data like fingerprints, retina scans or facial recognition.
These added elements are useful because they add an extra unknown element to the attacker. In a case where there’s only a single element password required, a phishing attack may result in revealing login credentials and an attacker gaining access. If you’ve added multi-factor authentication, it’s often the case that the attacker won’t have access to a user’s phone, fingerprint, retina or face, making gaining access much more complicated.
Of course, there are potential ways around these systems, but for an attacker, it can boil down to whether the effort to successfully beat all of those systems is worth the potential output. In short, MFA is a great security aspect to include in your systems, but it’s also a great deterrent.