Sign up for The Key Point of View, our weekly newsletter of blogs and podcasts!
I was among a select group of analysts recently invited to join a cybersecurity conference held at the US Embassy in London and organized by the HP Wolf Security team. The event included a who’s who of the security world, with two UK Members of Parliament (MPs) involved in various security committees; the head of crime for the National Fraud Intelligence Bureau; the Deputy Director of Cybersecurity at Department for Culture, Media, and Sport; members of the US Embassy; Ian Pratt, HP’s global head of security personal systems; senior figures from HP’s cybersecurity lab in Bristol; and a mysterious gentleman from the National Cyber Security Centre (NCSC).
Dave Prezzano, Managing Director for HP UK and Ireland, kicked off the meeting by highlighting the ever-growing threat of cybersecurity. He also discussed how the relationship between the UK and US has never been more important because a coordinated effort is needed to keep everyone safe in this permanently connected world.
Where Is the Biggest Cybersecurity Threat Coming From?
I can’t be the only one waiting for a headline informing us that a massive cyberattack has been unleased upon us by a hacker hit squad given the current situation in Ukraine. While this would indeed make headline news, we were informed that most cyberattacks are actually carried out by cyber criminals intent on extorting money from unsuspecting members of the public, SMEs, and corporations with corporate espionage, cyberterrorism, and other complex cyber-crimes coming in a very distant second.
The key to success in cybercrime is not hiring a teenage genius in his parents’ basement who can crack the Pentagon’s firewall. It is more a case of having a cryptocurrency account and access to the dark web (where you can find a litany of resources to propel your evil deeds). Suitably equipped with the tools of the trade, it is now a numbers game: finding a way into a target group, using increasingly complex and convincing phishing techniques, and then waiting for that one poor person to click on a malicious link or icon—subsequently opening the doors to ransomware, emptied bank accounts, and identity theft.
Phishing: By Hook or by Crook
Gary Miles, Head of Crime for National Fraud Intelligence Bureau for the City of London Police, described some of the increasingly sophisticated approaches that phishing now takes. Rather than just sending a scripted message from an unknown sender (with the dubious grammar/spelling many of us are now savvy to), the modern phishes now hide inside an existing e-mail string using intelligent linguistics to mirror the language and mannerisms of the sender, making the reader comfortable clicking on the link that their friend/colleague/client has sent them.
Another scary message that came out of the meeting was that small companies that may not think they’re an attractive target for a cybercriminal could be exactly that. The mysterious man from the NCSC advised that “supply chain attacks” are increasingly being seen as the soft underbelly access route into government and blue chips targets.
Is Your MFP a Security Risk?
While email sent directly from your desktop continues to be the preferred option for cyberattacks, multifunctional devices are also at risk as they are commonly connected to corporate email servers. This is to allow us to conveniently send scans of large hard copy documents/contracts directly to clients synchronizing with our own email address. But with this end user benefit comes great responsibility, with MFP vendors acting as a gatekeeper to the crown jewels: the company e-mail list.
Vendors put a huge amount of time and resources into ensuring their devices are not seen as weak spots that can be targeted. Keypoint Intelligence is seeing steady growth in orders from vendors for its penetration testing service, which puts the device family through a grueling five-day ethical hacking onslaught by our cyber security partner. Even with the huge investment in security, every security test commissioned to date has failed the first time around. The reassuring message is that the vendors get a confidential breakdown of the weaknesses our service unveils, fix the issues, and resubmit the devices, where they (typically) pass.
While adding more security to an enterprise multifunction device in the office may be commercially viable (and necessary to pass large tender security requirements), the same cannot be said for those of us who now work from home in any capacity. Our home office is more likely equipped with a simple device from an online retailer than an A3 MFP. Adding the processing power and technology to allow for high level encryption and other protection measures is simply not commercially viable and vendors are confined to including as many security measures as the market price allows. That is not to say that vendors do not try to address this issue—a brochure for a $200 MFP often lists a selection of security measures. The problem is that the typical end user buying for a home office doesn’t have an idea of what makes for a secure product.
I brought up this issue to the security experts and government members, asking if there were plans to make the task of buying a product with adequate security protection easier for the masses. After all, if we want to buy an eco-friendly IT product, we look for Blue Angel, ENERGY STAR, or other well-known eco labels. But when it comes to buying secure IT goods we are left confused by a load of “alphabetti spaghetti” in the specs list and no easy security seals to guide us. Ruth Edwards, MP for Rushcliffe and member of the Home Affairs Select Committee, advised that this was an area that does “need a lot of attention and a raising of public awareness.”
Keypoint Intelligence Opinion
Many of us left the US Embassy—probably one of the safest spaces in London, ironically—more nervous about our security and going online than ever before. While there were a lot of murmurings around the table about moving in the right direction, with more focus and lots of investment, it was scary to hear that there is a lot of work left to be done. It left us feeling like the game of catch-up is being won by the criminals instead of the good guys. But the good news is, we continue to do our best to ensure that devices are made as safe as possible through our security certification program and continue to hope that the powers that be put some thought behind making the process of buying a secure product much easier for the general public equipping their homes.
Log in to the InfoCenter to view research on cybersecurity, or follow these links to explore our blogs and podcasts dedicated to this matter. If you’re not a subscriber, just send us an email at sales@keypointintelligence.com for more info.