The hackers, the fish tank and the casino: How smart devices could be a hidden flaw in your business’s cyber security measures


Posted on

Profile image of Dr Matthew Bradbury, Lecturer in Cyber Security - Lancaster University
Dr Matthew Bradbury, Lecturer in Cyber Security - Lancaster University

Have you heard about how cybercriminals found their way into a casino’s computer network via its wifi-enabled fish tank thermometer?

It’s not a joke, you can read more about it in Forbes magazine.

It certainly wasn’t funny for the casino: the hackers stole large amounts of personal data about their clientele, causing financial and reputational damage to the unsuspecting business.

Although this kind of crime isn’t new – this particular incident dates back to 2017 – many business leaders aren’t aware that smart devices, like the fish tank thermometer, can be a weak point in a firm’s cybersecurity defences.

The growth of smart things

Whatever sector you’re in, it seems like just about every bit of kit now comes equipped with a sensor, camera or other functionality that allows it to interact with another device or system by sending or receiving information or data.

You may use some of these at work…

  • Smart thermostats or lighting, HVAC systems or fridges
  • Tracking devices on fleets of delivery cars and vans
  • Smart building features like security cameras, automated door locks or smoke detectors

Sometimes called the Internet of Things (IoT), these are just a few examples of the myriad ways in which these products are making it easier to manage, monitor and maintain premises, equipment and processes.

Where’s the catch?

These tiny computers are designed to be small, lightweight, mobile and run on a minimum of battery power.

However, these design features also make them a potential target for a cyber attack.

Here’s why:

  • Once they’re in use, software on smart devices is rarely updated. This can be because it’s hard to do so, or simply so easy to forget!
  • Their small size means they have lower processing power and memory and therefore fewer inbuilt security features that can help defend against an attack
  • Some devices have inherent flaws in their firmware from the point of manufacture that criminals can use to their advantage.

An open back door to cyber criminals

This may come as a surprise if you’re used to thinking of desktop computers, laptops, mobiles and the public internet as the likely entry points for online criminals.

This low awareness can mean that IoT devices are overlooked from even basic cybersecurity measures, like software updates.

The risk of that oversight can be substantial, as the casino discovered, because smart devices are often connected to your business’s wider wifi, network or cloud.

This provides criminals with an open back door to an otherwise strong wider IT infrastructure.

An attack could mean temporarily or permanently losing access to files, suffering website disruption or being the victim of theft.

And, if a business is responsible for the loss of customer data, it could be liable for substantial financial damages and suffer the reputational impact for years to come.

The cyber challenge for SME business leaders

Whether a cybersecurity threat comes via a smart device, a phishing attack or malware, business owners and directors need to be able to lead their organisations to address the cybersecurity challenge.

This can seem daunting for many, especially if you don’t have a technical background.

The first step is to ensure fundamental cyber security hygiene and awareness:

1. Start with the basics

Create strong passwords and don’t share them. Ideally use a password manager. Lock your screen whilst away from your desk and set up two-factor authentication where it's available.

2. Find and minimise your weak spots

Take and maintain an up-to-date inventory of all your IoT devices and subscribe to update notifications from the supplier so it’s easier to ensure you’re using the latest version of the software.

3. Understand the threat

Threat intelligence is being aware of the techniques, tactics and platforms that criminals use. The regular threat reports from the National Cyber Security Centre are a good place to start.

4. Read more…

The government’s Code of Practice for Consumer IoT Security includes practical advice for keeping your devices and your business safe.

Moving beyond the checklist

However, whilst those are important basics, introducing truly strong cyber security means going beyond a checklist and embedding a culture within your organisation that takes the risk and potential impact of a threat seriously.

As a leader, you need to know where your business might be vulnerable, for example via IoT devices, and be able to ask the right questions of suppliers and colleagues to understand the risks and ways to mitigate them.

You then need to empower colleagues at each level in the business to be able to spot and prevent an attack, creating an essential line of defence in protecting your business against a breach.

Fully-funded support for SME owners

This is no small order if you’re an already busy small business owner.

So, to help, Lancaster University Management School (LUMS) and the University’s School of Computing and Communications have joined forces to create the new Cyber Strategy Programme.

The programme has been specially designed to support the owners and directors of small and medium-sized businesses in Lancashire to understand the risk that cybercrime presents and minimise the threat by confidently implementing changes within their systems and teams.

On the fully-funded programme, Lancaster University academics and experts help to demystify the techniques and language of the world of cyber security and shed light on some of the tools that can be used to defend against a threat.

Meanwhile, leadership and culture sessions will equip leaders with strategies to build a culture of cyber-excellence within their organisation, while also building relationships with other like-minded local business owners.

Places are available on the Cyber Strategy Programme, starting 16 November 2022

The Cyber Strategy Programme will run over five months via a mix of in-person and online learning.

A two-day introductory residential session will be followed by monthly one-day workshops and masterclasses with Lancaster University academics and experts. During the five-month programme, delegates will also implement their learning through a company sprint project.

Places are fully-funded by the European Regional Development Fund (ERDF) for Lancashire businesses that employ between five and 250 people.

Find out more and register your interest in joining the programme online at www.lancaster.ac.uk/cyber-strategy-programmeProject logos: European Regional Development Fund, Lancaster University and Northern Powerhouse

Related Blogs


Disclaimer

The opinions expressed by our bloggers and those providing comments are personal, and may not necessarily reflect the opinions of Lancaster University. Responsibility for the accuracy of any of the information contained within blog posts belongs to the blogger.


Back to blog listing