THE SOOTHING VOICES OF SIRI OR ALEXA make most people feel like they’re dealing with trusted companions. But neither of these disembodied representatives of the Internet of Things (IoT) are always true friends to managed service providers (MSPs).
That’s because when these virtual assistants open doors to the convenient array of devices and applications in the IoT they can also lay out the welcome mat for hackers, letting them breeze past all the carefully constructed firewalls, anti-virus updates, and other security measures MSPs put in place to protect their clients.
Consider this case in point: At a medical practice with more than 100 people on staff, a cybercriminal infected the whole network with ransomware, including desktops, servers, and laptops, without using a phishing scam to gain entry. Instead, the hacker broke in through the one device that was set up specifically to protect the medical staff from thieves: the security camera.
The practice had contracted with a security camera vendor, and the camera ran on software that the hacker was able to infiltrate by using a password cracker and logging in as the IT administrator. At that point, the cyberthief had access to everything in the practice’s IT network, making it easy to spread the ransomware and encrypt the whole system.
Fortunately, the medical practice’s MSP was able to restore the network, rebuilding all the servers with backups. The process, however, was time consuming. It took the better part of a week to restore the data and return the system to full functionality for the staff.
With a breach of this type, an MSP could potentially spend hundreds of hours—often unbillable—to restore a network. That means the service provider could not only lose money while engaging in the restoration process for one client, but also miss out on doing billable work for other clients.
At this particular medical practice hackers targeted the security camera. But what about all the other vulnerable devices in the healthcare setting? Hospitals and medical practices have diagnostic equipment like ultrasounds, mammograms, and MRI machines that are not part of their normal network security. The healthcare industry isn’t the only one at risk either. IoT devices are being embedded into a variety of businesses—smart alarm systems, wireless music, and thermostats, to name a few. Increasingly, companies are installing Siri or Alexa and other IoT devices on their own—and none of those devices are being managed by the MSP!
To protect their clients—and their own bottom lines—MSPs must educate customers about the security risks of the IoT sector, which is expected to grow to 20.4 billion devices by 2020. Clients need to understand that even though MSPs can protect networks with firewalls and anti-viral software, they remain vulnerable to hackers who slip in through IoT devices sitting outside the network. Essentially, it’s as though companies are securely locking their doors, but leaving their windows open at the same time.