What Most Companies Forget When Fighting off Cyberattacks
Never underestimate the ingenuity and effort that burglars will put into their work. If a team of committed criminals knows that there are untold riches lying in a bank vault, they won’t be put off by a six-inch steel door, alarms and surveillance systems – they’ll find a way through somehow.
There’s a lesson here for businesses, even if they don’t hold a hoard of gold and precious gems on their premises. They’re often in possession of something much more valuable – proprietary and customer data. Cybercriminals are just as skilled and determined as their colleagues in the offline world. If they know that there’s valuable data to steal, they will use the most devious and ingenious methods to steal it.
Organizations can spend millions of dollars protecting their networks with best-of-breed security software and systems, but while these can defeat most ‘head-on’ attacks, they also force hackers to be more creative in the way that they probe their targets for digital weaknesses.
This persistent approach has contributed to an unprecedented rise in cybercrime, which cost businesses $388 billion in 2016
. And as businesses wise up to more traditional methods such as brute force attacks, malware and social engineering, criminals are diversifying their tactics.
The next battle in the ongoing war for security will be focused on devices which, thanks to the Internet of Things, are proliferating at an astonishing rate. But there’s one device that sits on almost every (physical) desktop – one that we rarely think of as a security threat: the humble telephone.
We tend not to think of phones as a realistic attack vector for hackers, and that’s largely because we forget that they aren’t the analog devices of our youth. An IP-based phone is a sophisticated computing device in its own right; it has software and network connectivity that can provide an easy way in for hackers who are searching for vulnerability.
Reluctant to consider the phone a viable threat? Consider the research by F5 Networks into the string of cyberattacks that hit organizations in Singapore in June of this year. The analysts found that almost 90 percent of the malicious traffic
was specifically targeted at VoIP phones. By hacking into these phones, the hackers would be able to eavesdrop on any number of sensitive conversations.
Any business that conducts important conversations over the phone needs to protect inbound and outbound calls from hackers who are waiting to steal anything of value – from company information to customer social security and credit card numbers. The solution is surprisingly simple and focuses on removing the key vulnerability that hackers exploit – the connection between a wireless headset and its base station.
These last few inches are easy to neglect, which is why they provide such a tempting target for cybercriminals. If hackers can access this connection, they can listen to every secret or piece of sensitive information relayed over the phone.
That’s why organizations that are serious about security should choose wireless communications hardware that features secure encryption, authentication and secure pairing between device / headset and the base unit. This means that a non-paired unit (such as one deployed by a hacker within a few dozen feet of the office) can’t access the link and eavesdrop on the conversation.
Pairing between base station and device is nothing new, but the latest standard is ‘physical assisted pairing’. This occurs when the headset is docked in the base unit, when a secret link-key is created to connect them. Similarly, authentication has been around for some time, but security standards can vary enormously; that’s why security-conscious organizations should look for advanced headset/base units. authentication based on the most secure 128-bitlevel technology, rather than the old standard of 64-bit.
Of course, security is only as good as the standard of encryption itself. Many DECT wireless headsets feature some form of authentication and encryption, but often of a very limited standard. Basic encryption may put off the casual attacker, but to be fully secure an organization needs the highest standard – ideally, military-grade technology such as AES 256-bit encryption, which gives a line of defense that goes beyond that of DECT Security Level C.
Unlike so many security technologies, secure phones aren’t difficult to find or to deploy. It requires little or no ongoing management – all a business needs is an awareness of the threat and a willingness to upgrade to a secure solution. Of course, secure phones won’t stop hackers testing other parts of your cyber defenses. It will, however, close an open door that’s an invitation to the growing army of clever and determined hackers around the world.