What does it take to keep your clients' information and infrastructure safe today? Part of the answer involves understanding "dumb" cybersecurity threats, meaning those that don't rely on sophisticated hacks to steal data or take control of devices.
In the popular imagination, the malicious hackers who wreak havoc on computer networks and data are unshaven geniuses. They invent brilliant, sophisticated solutions for defeating the mechanisms that are supposed to keep information safe.
Sometimes, that is how hackers break into systems. But if you look at the most recent headline-making cybersecurity attacks, the hackers who carried them out did not have to do anything very brilliant at all. They were "dumb" hackers, whose attacks did not reflect a great deal of technical skill.
Consider the following recent cybersecurity incidents:
- The Oct. 21 attack against Dyn's DNS servers. This attack was facilitated by a botnet of Internet of Things (IoT) devices. Hackers were able to take control of those devices because they were secured with weak default passwords. There was nothing especially sophisticated about the attack from a technical perspective.
- The attack that allowed hackers to access private emails from the Clinton presidential campaign's chair, John Podesta. This amounted to a simple "phishing" attack. Hackers succeeded in leading Podesta to click on a malicious link in an email, which brought him to a website that stole his login information. This attack involved just basic social engineering. You don't have to be a computer genius to write an email with a malicious link.
In other cases, hackers do rely on more sophisticated means of breaking into systems. The infamous Target breach, for example, involved hackers gaining access to the company's internal network, then installing malware on point-of-sale devices. You have to have a fair amount of technical expertise to pull off something like that.
Lessons for MSPs
Still, the recent attacks that involve little technical skill are a reminder that some of the most serious cybersecurity threats are very easy to overlook. For MSPs, that means that protecting clients from very simple risks, like weak passwords, is as important as running sophisticated antivirus scanners or configuring tight firewalls.
This may be a tough lesson for clients. No customers wants to be told that the weakest link in the security chain is the customer himself. But there is only so much that an MSP can do from a technical perspective to mitigate security vulnerabilities. Educating clients to protect them from mistakes they could make to expose their data and devices to attack is an essential part of modern cybersecurity operations.
Send tips and news to [email protected].