Why Hackers Love the Pandemic

BY STEPHANIE JOHNSTON

As I said in a recent Editor’s Forum, it’s hard to make and assemble products remotely. In the rush to send nonproduction employees home to work, businesses quickly learned their private IT networks weren’t big enough. Divisional Information Officer Trever White said one of the first things Toyota did, for example, was migrate its virtual private network (VPN) to Microsoft 365 Business.

Among other cybersecurity measures, Microsoft’s cloud-based IT platform guards against ransomware, phishing emails with suspicious links and collaboration tools; encrypts emails; and monitors data in Excel, PowerPoint, and Word files from mobile as well as desktop devices.

Unfortunately, not all companies can afford to outsource proper “cyber hygiene.” Manufacturers were the primary target of hackers before the coronavirus pandemic, and their activity has spiked. Hackers are using social engineering – getting people to do something or share information they shouldn’t by using our natural impulse to want to help and our lack of attention to detail – to penetrate your weakest link: employees.

The MxD digital-manufacturing innovation center in Chicago recently invited cybersecurity expert Brian Haugli (brian@sidechannel.com) to share common counterattack measures.

Tell Employees to Slow Down

Eighty percent of attacks stem from phishing. Therefore, tell employees to beware of emails from someone within your company, a customer, or a supplier they don’t normally interact with that urges them to bypass standard policies and procedures.

Verify the email is legitimate by calling someone in the sender’s department or another contact at the company. If your employee gets pushback, they should explain they’re confirming the interaction isn’t fraudulent. And remember: An offer that sounds too good to be true IS too good to be true.

This advice applies to videoconferencing invitations as well. Ensure your antivirus system looks for malicious virtual meeting invitations, and tell employees to question invitations not sent by well-known providers such as Zoom, GoToMeeting, Google Meet, etc. Whenever possible, use the application’s web-based version instead of the downloadable, executable version that resides on your system.

Address Home Network Vulnerabilities

Don’t let employees use their personal cellphone or laptop for business because you don’t know if they’ve implemented the same security measures your business has implemented. If you must allow BYOD (bring your own device), tell them to look for an app – such as Microsoft’s Intune – that effectively separates and will enable you to remove corporate data if/when the employee leaves the company.

Haugli recommends using a hard-wired internet connection via a Cat5 or Cat6 ethernet cable, but many employees may have only Wi-Fi. That makes their wireless router the most vulnerable point in your company’s IT network.

To ensure secure access to company networks, tell employees to enable Wi-Fi protected access (WPA), not older wired equivalent privacy (WEP). WPA encrypts data to keep neighbors and those with malicious intent from getting into your company’s network via the router.

Should You Enable Software Auto-Updating?

Yes – except for production-floor programs like SCADA, etc. They require a structured updating program to avoid crashing. Follow developer or manufacturer guidance for updating HMI or PLC software, etc., very closely.

How Good Is Microsoft’s Antivirus Software?

Use it if you have nothing else (Windows 10’s antivirus protection, by the way, is better than previous versions including Windows Defender). If you can, implement a second solution to use instead or as a redundant system. Haugli recommends a solution that provides response as well as detection.

A Word (or More) About Passwords

If you use Facebook, LinkedIn, Gmail, etc., to access other accounts, that “gateway account” is vulnerable. If it’s compromised, everything linked to it is vulnerable.

Use multifactor authentication (MFA) for passwords (Google Authenticator is free). Or try using pass phrases instead of passwords. Write (yes, on paper with pen or pencil) usernames and passwords in a notebook or use a free service like LastPass to generate and save encrypted passwords.

One Final Word

I’m not an IT professional, so I encourage you to contact Brian Haugli at brian@sidechannel.com or follow @BrianHaugli on Twitter.