We often operate under the assumption that everything is safe and sound regarding a company's cybersecurity until proven otherwise. A few weeks ago, The Guardian reported that "All Wi-Fi networks" are vulnerable to hacking. An unpleasant truth which indicates that your company's contingency plan should be updated as soon as possible. Here is what you should know and how to protect your company:
In short, Marty Vanhoef discovered a weakness in the security protocol we use to protect most Wi-Fi connections (WPA2). By using Key Reinstallation Attacks (KRACKs), an attacker can "read information that was previously assumed to be safely encrypted" and "steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos.", according to Vanhoef.
Who will this effect?
Unfortunately, this security issue cannot be fixed immediately, which means that we all have to come up with alternative actions to protect us from cybercrime. The good news is that KRACKs have some definite restrictions. Firstly, a hacker would have to be physically close to your Wi-Fi network to be able to implement an attack. Secondly, he will not be able to get information from sites that have an additional cryptation layer like https:-sites.
Nonetheless, it's crucial that you assess your company's contingency plan, update your risk analysis and implement actions to reduce the threat. As there is no software protection against this kind of attack yet, we all have to be extra cautious when using a wireless connection. Remember that most people outside the security field have limited knowledge about cybercrime, so make sure you teach your colleagues, managers or employees about internet best practices. Here are our tips:
- Never trust one single point of failure for all your security.
This means you should never solely rely on your Wi-Fi or cryptation on a site. Double up by using a VPN or a secure connection.
- Only visit sites secured with https: when using a device that does not support VPN, like a TV.
- Pay attention to the URL your visiting. Small changes in the URL (http instead of https) can help you identify fraudulent sites
- Be careful about where you leave your email address. Your email is linked to a lot of sites with sensitive information about you so think twice before you register it on an unsecured site
- Always store backups of important information
- Keep your software updated at all times
Test your organisation
After implementing cybersecurity best practices, you must both test and practice the organisation's safety routines. Here are some examples:
- Penetration testing
This will expose gaps in your security and give you a prioritised view of what you should do to protect your business thoroughly against cybercrime.
- The USB test
It should be common knowledge that you never put a foreign USB stick into your computer. Unfortunately, that is not the case. Place a few USB-sticks outside your office to see if someone takes the bate
- The email test
It is far more difficult to hack a computer than to trick someone into downloading malware. Set up an email account and send out an email imitating one from your boss. See how many of your colleagues notice that it is a fraudulent email and how many clicks the link you've put in.