Blog

Assessing Cybersecurity Risk

The Business View – May 2017 / Small Business Corner

In working with our clients to improve their security posture, we have come across several common themes limiting a business’s ability to assess and mitigate cybersecurity risk. Previously, we looked at the dangers of devices we didn’t know were there. Let’s go a step further now and talk about configuration issues. You can’t secure it if …

 

You Don’t Know How

It’s Configured

 

Many people know how to make things work, but few people know how to make things work securely – put simply, it’s more difficult. This means most off-the-shelf technology often comes with every option enabled.

 

Printers, for example, can be problematic in several ways. One of our clients brought in a new district manager earlier this year. He wanted a multifunction machine in his office for scanning and printing documents, but he “didn’t want to bother IT,” so he picked up a device and installed it via USB to his own PC.

 

On our next visit, we discovered the wireless connection to this printer. There was no wireless on our client’s network, but the printer had wireless turned on that anyone could connect to – even from other buildings nearby — thus opening a backdoor through the manager’s PC and the entire network from there.

 

Many modern printers have as much processing power and memory as PC desktops did a few years ago, yet most people think of printers as “accessories” rather than actual computers. Security researcher Chris Vickery has found examples of attackers using printers on the Internet to host and serve up malware.

 

From printers to thermostats to light bulbs and more, many ordinary things now have wireless and other “smart” capabilities built in. These devices are innocently installed by small businesses and individuals, with little understanding of how they work, nor of how to properly configure them.

 

At a minimum, for any new device, take these two steps:

  1. Change the default password.
  2. Disable remote administration.

 

Further, if the wireless capability of the device isn’t actually needed, disable it (or at least secure it). These simple steps will go a long way to securing your devices.

 

This is a six-series column addressing cybersecurity for local businesses by Glenda Snodgrass, president and lead consultant at The Net Effect. Snodgrass can be reached at grs@theneteffect.com.

 

Click here to read The Business View – July 2017