Even the most advanced technology can't protect you if the people using it aren't taking precautions.
Many of CERN's IoT devices remained unsecured until 2016. This demanded serious changes to their security routines.
A well secured network – IoT or not – is essentially impossible to break into. VPN is a robust technology, and the encryption algorithms tend to be so advanced that even the most devious hackers would take thousands of years to break them.
So what do you do to break into an impenetrable vault?
Easy – you trick the guard with the keys.
Social engineering is hacking of people
The 2008 event that's been called "the worst breach of US military computers in history" happened exactly because of an employee who didn't take the necessary precautions. Pentagon isn't exactly known as an easy target, but all it took was one employee with access to their network who picked up a curious memory stick at the parking lot and plugged it into an USB port. Obviously the thing was loaded with malware, causing massive consequences.
This is a simple but great example of social engineering – hacking that exploits weaknesses in people, not technology.
How should companies act to reduce their exposure to cyber attacks? Experts talk about the need to employ the three pillars of cyber security: technology, politics, and people. -- This illustration is used with permission from Intuition and this article: People are the easiest hack; The Pentagon learns the hard way --
Another example is phone calls by people who sound stressed and pressed for time, but in reality just want to create sympathy to make the person at the other end reveal sensitive information. Phishing – fishing for passwords or other data through fake electronic communication – is a third common strategy.
You might be thinking that all your employees know how to watch out for suspicious email links, but truth is 18 percent of people will visit a link from a phishing email. Oftentimes it's because the hackers have gathered info on their mark beforehand to seem more legitimate – so called spear phishing. This means even information you might think is harmless, could be used to fool you into revealing more sensitive info later.
Sloppiness – the other great threat
I'm afraid we've got more bad news.
A lot of the time there's not even any need for devious social engineering techniques to gain access to your network. The door might already be wide open.
Well, sometimes it's because people forget to change their usernames and passwords from the default. You could have the greatest encryption of all time, but if all people need to do to bypass it is type in admin/admin, it's not worth much.
READ MORE: 5 IoT solutions that went wrong – and why
Sloppiness at CERN!
Shockingly enough this is just what CERN discovered while performing security routines in 2016. A large amount of their IoT devices were essentially completely unsecured. Remember – we're talking about some of the smartest people on earth, here. Thinking your business or mine wouldn't be exposed to the same risks would be pretty naïve.
Similarly simple access points could appear by not patching the software after buying the device. Security risks that have actually been fixed by the developer thus stay open until someone decides to download the update.
Moving on, a final risk to watch out for is a system where it's hard to know who has access to the network. If you don't have a good managed connectivity solution, you might end up in a situation where i.e. a previous employee could still log on. That could spell trouble. Weak authentication also opens up for man-in-the-middle attacks, where someone invisibly intercepts the communication between the sender and receiver, picking up all the data along the way.
Routines are key
We can probably stop listing versions of human error here. It's a long list, and you're probably getting the point.
The key to avoid all these is making sure you have good routines, and good employee training. Make sure everyone with network access knows about these dangers, and that you have implemented processes to avoid them.
If you're still in doubt, an easy solution is outsourcing operations or surveillance to external professionals, who already have the routines and knowledge in place.