Managing the security of an enterprise IT infrastructure used to be much simpler in years gone by. With a finite number of potential vulnerabilities, managers could put all of their eggs into just a few baskets and provide adequate cover to their companies. But today, cybercrime is a major and growing threat. The PCI Security Standards Council recently place the annual global cost of cybercrime at £4.6 trillion by 2021. That’s £4.6 trillion of real money that will be siphoned away from businesses by computer crooks.
That number is big and worrying for businesses. But the real concern is the fact that too many IT managers are unaware of where the threats will come from in the future. Here’s a clue: it might not necessarily be from a virus-ridden email downloaded by an employee. The threat could actually be sitting right next to you.
According to the Ponemon Institute, only 53% of IT Managers realise that printers are vulnerable to cybercrime. There’s a lack of awareness within IT departments, before you even consider the other areas of the business, who also have a responsibility to make sure sensitive data stays within the four walls of the company.
Firmer on firmware attacks
In today’s hyper-connected world, I’m a firm believer in the fact that security starts with devices and data on the edge of the network. Printers are just one way in for hackers but in truth, any connected device could compromise the security of the entire network. And in the Internet of Things era, that list of devices is growing. Even the kettle could land a company in hot water if it has an unsecured internet connection. The concern is that if IT managers are unaware of the danger from printers, it’s likely that they will also be in the dark about the newer devices that are being added to corporate networks all the time.
One of the most dangerous threats to protect against is firmware attack. Firmware attacks are difficult to detect but they can allow the attacker to gain broad control, as they can access all hardware resources, and administration and control capabilities. Many such attacks can evade existing device security and can be impossible to remove without a system board replacement.
It’s vital therefore to protect devices during boot up to prevent malware invasions and prioritise speedy recovery in case of attack. An example of this strategy is our self-healing PC and printer BIOS security solution HP Sure Start. This independent chip is not only capable of detecting firmware intrusion in a PC BIOS, but also of repairing it instantly without any action required from the user or the administrator of a device.
To help raise awareness of endpoint device security, we recently launched “The Wolf”, a dramatic short film series starring Christian Slater. The series draws attention to the security risks posed to corporate networks by real vulnerabilities in unprotected printers and PCs. For instance, Slater is shown using a printer to circumnavigate a company’s firewall and gain access to sensitive data the company stores on all of its computers. This particular example is a work of fiction but this happens in the real world where printers are not secure.
READ MORE: Christian Slater plays The Wolf for HP
The extra mile
Security should no longer be about bare minimums and box-ticking. It requires a commitment to innovation in the domain of protecting networks, so it’s no accident that HP is working with a range of partners to bring about change. For instance, initiatives such as CyberInvest have been set up by GCHQ and the Department for Culture, Media and Sport to get more businesses involved in cyber security research. HP is one of the first companies to have signed up, and institutions such as the University of Birmingham are also part of the scheme.
As fresh use cases for the Internet of Things create new vulnerabilities, the smallest chink in the armour is enough for criminals to gain access to the network where they can wreak havoc and cost businesses millions of pounds. IT leaders should be taking a firm stance on security that involves the entire business for vigilance – the responsibility doesn’t start and end in the IT department.
The approach we advocate is one where there’s a collaborative effort to secure a business, because all areas are affected if a cyber threat does occur. Relationships between business, government and academia will secure networks well into the future. We must now create a united front to show that everyone, from the employee to the IT manager to the boardroom and beyond is taking security seriously.