The end of the year is an opportune time for MSPs to do some office “cyber-cleaning” for clients. But what exactly is an “office cyber-cleaning?”
“Cyber-cleaning is the fortification of office space to make them as immune from cyberattacks as possible,” explains Doyle Hendricks, a cybersecurity consultant in Atlanta.
Hendricks shares there are a lot of “weak spots” in offices that people – even cybersecurity experts – forget about.
“Even MSPs that provide security-as-a-service sometimes get so caught up in the latest and greatest that they forget about that clunky printer in the corner that still provides an access point.”
“Do you need that printer?” If the answer is no, get rid of it.
Hendricks says this sort of office evaluation, or “cyber-cleaning”, can be done at any time of the year. Still, the end of the year, when offices are empty, and the workload might be a little slower because of the holidays, is an excellent time to evaluate the office.
“And the arrival of a new year is a great time psychologically to get rid of old electronics,” Hendricks advises. But they must be disposed of properly, or that can cause a great risk.
“But follow proper disposal best practices, don’t just toss it in the dumpster,” he says.
Hendricks finds the following office devices to be the most problematic:
“What I think a lot of people get caught up in is not thinking of a printer sold in 2010 as being `old,’ well, that is ancient in terms of technology.” He adds that many printers of that era don’t receive encrypted data, leaving hackers with a relatively easy attack vector.
“I know budgets are an issue, so if you are an MSP and a client can’t purchase a new printer or doesn’t want to, at least make sure they are aware of the risks and do what you can to secure the older device,” Hendricks adds.
Who uses a fax machine today? Faxes have long been replaced by email. Not so fast. Government agencies, medical entities, attorneys, businesses internationally, and home offices still have fax machines. “Sometimes all a hacker needs is your fax number to wreak havoc in a network. You wouldn’t think these office dinosaurs pose a threat, but they do,” Hendricks shares.
Hendricks also notes that fax machines aren’t considered a priority by hackers, and their old analog lines are tough – but not impossible – to hack. The data isn’t encrypted on these old lines, but if a hacker wants access into an organization and finds an old fax, it can be an entry point. “If the office needs an old-fashioned fax, make sure it is not plugged in at all times unless it has to be and seriously consider upgrading to an integrated email fax with proper protocols,” he says.
Outdated Telephone Systems
Many businesses, especially retail, cling to dated or legacy phone systems. Often, offices stick with outdated VOIP systems as well. Hendricks says that once vendors discontinue updates and patches, and fixes, the cybersecurity risks increase. Pakistani hackers stole over $50 million from several U.S. companies by infiltrating unpatched PBX systems and reprogramming unused phone extensions to make calls to premium phone numbers. That incident was in 2016. “But many offices still have such legacy systems in place.”
Copiers pose a well-known risk, but Hendricks says they often get ignored anyway. “And that is just because the copier is such a part of office culture that they seem harmless, but a copier is one of the weakest cybersecurity links,” he says. He also advises if you must keep the old copier, a good solution is to keep it unplugged most of the time. “A hacker can’t hack a machine that isn’t connected unless they get onto the premises physically.”
Hendricks adds that MSPs should do a general end-of-the-year “sweep” of an office to ensure there aren’t any “old” IoT devices lurking in a corner that could one day prove problematic. “Again, that IoT coffeemaker five years ago doesn’t seem old to most people, but in terms of IoT devices, that is the stone age. Best to update it to something that has more built-in security. Or keep the coffeemaker unplugged.”.
Most offices have at least a few overlooked attack vectors in dated hardware or IoT appliances, and they shouldn’t be ignored. “Get them before they get you,” Hendricks warns.
Photo: nattaphol phromdecha / Shutterstock