By Tom Paquin
Why is it that people never want to take preventative measures? I’m reminded of Y2K, when we were told that a catastrophic glitch in computer systems would lead to widespread outages, unexpected nuclear missile launches, and all other manner of nightmare. This prompted years of thoughtful preventative action from programmers, who meticulously re-coded systems and prepared our digital infrastructure. On January 1, 2000, when we woke up to an undisturbed world, the simple minded people of the world wondered why we took it all so seriously. “Nothing even happened,” they would say. Perhaps nothing happened because responsible people acknowledged and addressed the issue before it became a catastrophe.
This simpleminded philosophy of only having the mental capacity to address things as they’re happening is why people put off physician visits, why people don’t invest in health insurance, and why cybersecurity and continuity planning are so often shuffled to the side of the public discourse.
A recent series of high-profile cybersecurity incidents have, it would seem, opened the eyes of some of those simple-minded people, causing them to conclude that yes, this could even happen to them. Our lives are a lot more than simply enhanced by technology in 2021—for many of us, our ability to function is contingent upon technology.
In service, this is overwhelmingly the case. Imagine if you woke up tomorrow and lost access to schedules, customer lists, payroll, scheduling tools, your bank, or your vehicle.
Catastrophic, right? And the reality is that these threats come from different sources. Hopefully none of this is news to you, but let’s talk about some of these sources in plain terms.
Distributed Denial of Service (DDoS)
For quite a while when a business was “hacked”, they were often actually the victim of a DDoS attack. These things still happen all the time. A distributed denial of service attack essentially weaponizes web traffic in order to cripple a site. A website is like a road, and the more cars you put on the road, the slower it’s going to go. If enough cars all converge on a single road, from different directions, then nobody can go anywhere. And this is what a DDoS attack does—sending web queries from thousands of IP addresses simultaneously until a service crashes, this “denying service”.
Imagine that your service firm has online scheduling, and that you’re the target of a DDoS attack. Hackers will initiate thousands of scheduling requests, thus crippling the queue and crashing the site. How are you prepared for this? Are you able to pull requests from the queue? Do you have a CAPTCHA set up to ensure that traffic is actually human? What is your continuity plan for when a webpage goes down? Each businesses understands implicitly its own service needs and urgency, here, and each will establish its own criteria, but this is yet another reminder of the importance of planning ahead.
Phishing would be the other end of the “I was hacked” coin alongside DDoS, and I’m extremely hopeful that I’m not breaking new ground for anyone that’s reading this. We should all know what phishing is, and we should all be cognizant and suspicious of it in our day to day lives.
Phishing is when hackers attempt to capture credentialed information by sending out official-seeming emails and creating webpages that look like legitimate email or bank websites, in the hopes that you’ll put in your email address and password before you realize that you’ve made a mistake.
So yes, we should all be on the lookout for phishing in our day-to-day lives, but phishing is also the means by which many businesses install tracking software on computers. More maliciously, if a high-level service professional is the victim of phishing, then suddenly external forces may have access to sensitive information like location, total number of assets, asset performance, or even more maliciously, the ability to remotely interact with assets. We don’t want disconnected HVAC systems or unrestrained capital equipment.
Preventing phishing tends to be, primarily, an awareness campaign for businesses, and while it’s useful to have a training when an employee joins the organization, it’s arguably more important to create mandatory re-training benchmarks for employees. Look—we all have been guilty of skimming an official looking email and clicking on a link when we’re in the middle of three different things. We just need to be mindful of what we’re doing, and that is where smart training is key.
Ransomware, like the others, is nothing new. Often, it’s initiated by a phishing attempt, or alternatively by remotely accessing someone’s computer (often through a bogus tech support phone call), visiting a malicious website that downloads the software in the background, or via physical media like a USB stick.
What ransomware does is it encrypts everything on a user’s computer (or ideally their network), and holds your machine for ransom. Typically, the only message on the screen will be directions, or a bitcoin account, and a threat to release public information, or to continue to restrict access to computers. Obviously, even minutes without access to integral systems could spell doom for a digital organization. For that reason, the ransoms are often paid, and the perpetrators, perhaps surprisingly true to their word, typically restore access to the website.
Because it can originate from many places, ransomware is hard to prevent, but in service, it’s doubly important to protect field equipment from meddling. Technicians should have equipment best practices with respect to mobile and rugged devices, ensuring that they’re in their possession at all times, or locked in a vehicle.
Unfortunately, like anything, there’s no 100% safe way to tackle all of this, and one could look at this article and question our digital transformation strategy as moving too fast, or relying too much on automation, but the fact of the matter is that the digital good outweighs the digital bad. Companies looking to succeed in business, therefore, owe it to themselves to have a solid contingency plan in place for cybersecurity. Planning ahead now will position you to avoid catastrophe down the road.