More of us than ever before are choosing to work remotely. But blurring the line between home and the office also creates privacy risks that can be exploited by cybercriminals. In this episode, we talk to security consultant and private investigator Shannon Miller on how you can keep your home office safe from digital attacks.
In this episode, Tresorit’s Stefan Killer-Haug joins security consultant and private investigator Shannon Miller to discuss the importance of cybersecurity for remote workers and how to your data safe while working from home.
The popularity of flexible and hybrid working has exploded in recent years — and if you’re one of the many who has swapped the office for WFH, then it’s never been more important to keep your home network secure.
Listen in as Shannon discusses her experiences dealing with cybercriminals in domestic settings, the common ways that scammers and hackers identify their targets, and how easy-to-implement steps such as strong encryption can protect your and your family’s data.
We also take a special look at how outside attackers can use the Internet of Things (IoT) — including internet-enabled TVs, gaming consoles, and even smart toasters and refrigerators — to find vulnerabilities in your computer systems.
[00:00:00.410] - Stefan Killer-Haug
So hello everybody. This is Stefan. I'm your host of Today's Webinar here from the Tresorit headquarters. We're going to talk about cybercriminals today and we have our lovely guest, Shannon Miller. Just one single housekeeping note for the audience out there. We will have a Q and A session right after the conversation with Shannon. And feel free to ask. During our talk we will have some scenarios outlining where vulnerabilities in hybrid networks, for example, hybrid work networks for example, are and I'm sure you will have some.
[00:00:41.570] - Shannon Miller
I'm Shannon Miller. I'm a security consultant and OSINT and private investigator is kind of a mouthful. So I just usually lump it under security consultant. I run a boutique firm that does OSINT investigations specializing in harassment and stalking cases, mostly online safety, digital privacy, things like that. So that's kind of my area of expertise. And we're also talking today about the move during the pandemic towards the hybrid work environment, some things that I deal with every day because a lot of the people that talk to me are the ones dealing with somebody in their systems, in their home networks, and in their companies. So that's kind of my background and what I do. And I'm sure people have curiosity about the private investigator piece, but we're not really addressing that. We're going to be talking about Internet of things IoT smart devices. We have all these smart devices on the same home network that we may have our work devices or our personal devices and our kids tablets. So we're talking about this idea of we've brought our work into our home environment where we all have a smart toast or a SmartPhrase, or a smart laundry machine.
[00:01:46.790] - Shannon Miller
And who needs a machine that can access the Internet? I understand the idea that you could update it, but nobody really wants to send text messages via their smart toaster. Not that I know that that's a capability, but these are devices that are open to the Internet. They're open to your home networks. And a lot of people don't think of these smart devices as a vulnerability in the home space. Sometimes we think about when a company asks us to bring our own device to work. So we now have a device, a personal mobile phone, for example, or a personal laptop being used as a business device as well. And sometimes those two networks cross. So you have things from your workplace that end up on your home network and vice versa. So we're looking to kind of minimize the risk, especially companies, if they don't already have a hybrid or remote work policy, especially about devices and device usage, they should. We want to talk about numbers. People like statistics. So some of the things that I know people are concerned about is phishing on the home network. So just let me give you a couple of numbers.
[00:02:44.130] - Shannon Miller
These are global numbers. So global statistics. Nearly a billion emails were exposed in a single year. So in 2020 alone, one in five Internet users were affected by some sort of email phishing campaign. So I know we're talking about a world of 7 billion, 8 billion people now, but that's still a huge number, getting phishing emails, phishing texts, things that will affect their daily life. I'll get into the phishing text in a minute. But also, data breaches cost businesses on average $4.35 million. That's US dollars. But each data breach, each point of connection, each thing that affects our company and our personal devices affects you. The other thing I wanted to mention was that 82% of breaches against businesses involve a human element. So when we talk about securing our network, securing our home devices, hybrid workplace, we want to think about all of the risks and all of the things that we maybe don't think about on a daily basis. We're trying to layer in security as a means of the beginning of a product, the beginning of a timeline, the beginning of a workplace. You want security layered into all of that because when we address it later, when we're reactive to something, instead of proactive for it, we won't think of all of the things ahead of time.
[00:03:57.630] - Shannon Miller
We're not thinking ahead, we're thinking backwards. And we're like, oh, we should have had these things in place. We should have used encryption, we should have had segmented home networks, we should have taught our employees these things. So if we're thinking with security layered in instead of after the fact, if we fund it from the beginning, then we're going to have a lot better and cohesive security policies that we can actually follow, that people actually understand, that the end user can then interpret better. So a company will give you a policy after the fact and you're like, well, I have to sit through this silly cybersecurity training and I don't know why. We'll give them a reason, help them understand why their risk, the risk to the company, the risk to their own devices on their home network means that things can happen.
[00:04:40.190] - Stefan Killer-Haug
I think this number is quite interesting. It's a number by the Federal Office for information security of the German government. The guys there had a company investigating how many vulnerabilities they can actually find within these devices. And we're talking about devices like, of course, notebooks, like routers, like the smartphone, but also smart refrigerators or civilians cameras. And it was 7339 vulnerabilities and only six devices, which is probably the average every person these days has. So what are you thinking about this, Shannon? Did you have any imagination around this? It's 7339 and six devices.
[00:05:34.050] - Shannon Miller
I mentioned briefly smart toasters and like, smart washing machines. But when we think about endpoints, it's not just our we're carrying around a computer in our hands. We call them mobile phones, but it's a computer and it has these vulnerabilities. All the apps that we download, everything that we use, that is connected to the Internet could be a point of vulnerability. And while that could be a scary statistic, it can also be a solvable one, provided that we layer our security and provided that we use the proper tools to fix kind of the vulnerabilities, whether we patch our devices or run security software or do encryption the best that we can on all the devices if it's available. So for endpoint devices, some of the things that we don't think about again, IoT or our routers, our modems, those are the first points that the security breaks down in our home networks.
[00:06:25.620] - Stefan Killer-Haug
So we are actually talking about work environment. But on the other hand, this is kind of a mixture, right? We're talking now about smart housekeeping devices, so to speak, and the network in general and professional devices and private devices. So actually every device that is connected to a network can be the friend of the hacker, so to speak. I think we should dive right into this, having these basic data outlined and go to the first scenario. What do you think?
[00:07:01.780] - Shannon Miller
Yeah, that works great.
[00:07:03.910] - Stefan Killer-Haug
So the first scenario we want to talk about is actually a quite basic concept of text messaging. We're talking about phishing there and to be precise, this is about smartphones. So what can you tell us about everyday situations people come up with when it comes to phishing? With text messages?
[00:07:32.850] - Shannon Miller
Yeah, so I briefly mentioned this while we were soloing it in the beginning, but fishing phishing schmishing, there's all kinds of names, but specifically SMS messaging or text messaging. A lot of the times you might get some rather sophisticated looking text message that is from a global delivery part, like a delivery service such as DHL or Ups and it gives you a tracking number. And we all order from Amazon. We all expect our packages and track them and press our Windows nose against the window looking for them to come on time. And so when you're getting one of those text messages, they look good, they look, oh, here's your tracking number, your package is late. So we may in just getting the text message, click on the link thinking that it's from Amazon or from the delivery partner. And we go to a fake website, which looks real, they're getting better. And we put in our information to track our package and it turns out we've just given all of the tracking information and our name and address to someone else, to a cyber attacker, to a criminal. So it becomes a scam and then maybe they'll send you more text messages and respond to them and they get more information about you.
[00:08:41.240] - Shannon Miller
So that's one way that we're seeing it's, like package tracking. Or sometimes they'll say something like have a brief introduction hi, you don't know me, but I'm so and so. We met at this event. So like a scammer may try to actually lure you in with Pretexting and say, oh, hi, you don't know me, but we met at this conference. That's a very common way to get into a text message conversation with somebody that you've never met.
[00:09:05.710] - Stefan Killer-Haug
Yeah. And what's more, they look quite sophisticated these days. So the last time I saw such a tracking code, email and text message beforehand, I was quite shocked because of the brand identity, so to speak, of the provider. It was like identical to what you usually get there and yeah, who can be blamed? You should be aware we've all done it. Yeah. And on the other hand, you also have text messages, really text messages, for example, on a maybe hybrid phone, so to speak. These days people sometimes don't have two smartphones for work and private life, but they combine it with a dual SIM, for example, or anything. And you have to be quite aware when there's a sun showing up, you don't really have for example. That's the good case probably because there are people claiming to be like relatives to others and they are asking for information, or they're giving information, ask you to reach out again. And actually, a friend of mine, it happened there and he was like, thank God I don't have a son. Because it was also quite sophisticated in terms of writing. It's not only the appearance but also the writing these days.
[00:10:29.260] - Stefan Killer-Haug
So keep your eyes open for actually everything. Be suspicious of text messages you expect or don't expect, and keep your work phones as encrypted and safe as you can. Due to our little flaw, we lost some time. So I'd say we just move on to the second scenario, which is about Pretexting and tailgating because sometimes it's not only the cyberspace, but also the real spaces in your work life or in your hybrid work life. So what can you tell us about Pretexting and tailgating?
[00:11:12.950] - Shannon Miller
So I briefly mentioned this, but what that is, is kind of setting up a scenario where you seem to know the person or you seem to belong in the location where you are. So for tailgating, an example of that would be, let's say somebody follows you into your work building. You're going into the office for the day, and the person says to you, they don't have a badge and they need to go in, they're a guest, or they work there on the 14th floor, and they just for their badge, and they're going to pick up a guest badge at the front desk. And so you don't think anything of letting that person into the building because they're wearing a business casual or whatever the dress code is. They look appropriate to the situation. Maybe you've never met them because you see people all the time in your office building you've never met, so it makes perfect sense that they're there. That is an example of tailgating in the work environment in your personal life. Let's say you're working from home, or you're a hybrid employee, which most of us are now. So you're in your apartment building or your flat, and you're going into your lobby, and you go to get your mail, and somebody follows you in behind, and they're going to get their mail.
[00:12:13.460] - Shannon Miller
It makes perfect sense. That person could live there. You don't know. Everybody in your building, and they've now followed you into your building, and they're getting the lay of the land there. They can look at last names on mailboxes. They can go to an apartment. They could find somebody that they're after in that building. You don't know. So you've basically allowed somebody to violate the security of either your business or your home without knowing it. And we don't think anything of it because the person isn't acting weird. They're not being strange. They just act like they belong. And that's one of the ways that people can tailgate or find pretext to be in that location. They look like they belong there.
[00:12:49.750] - Stefan Killer-Haug
Actually. This is what Mommy always said, like stranger danger or how you can call it. You can also apply it, actually, to your hybrid work environment. Or these days when you're in cyberspace and working from home and working in the office, this is probably a thing we should all keep in mind, that it's not only about the cyberspace, but also the physical, your physical life, your real life. And sometimes it mixes up. And, yeah, it's weird situations we're talking there, actually.
[00:13:25.650] - Shannon Miller
Tech is everywhere. Tech is in every aspect of our lives now. We have got this society now that focuses on move fast and break things, and we don't think about the security before we put all these tech things into places that are usually sacred to us. Like you mentioned, security cameras in the home. I'm sure we'll talk about that, but that's another avenue of vulnerability that we don't consider.
[00:13:47.610] - Stefan Killer-Haug
Yeah, we will get there. And it's perfectly right, what you're saying. Tech is everywhere. Connection is everywhere. So with connectivity, actually, cyber threats arise. The more connected we are, the more insecure we can be. And I really want to stress this. We can be as there are measures, we will get there, too, that are quite effective in each and every environment to not become a low hanging fruit for hackers. So maybe we should get on with the scenarios and talk a bit more in detail about this when we have our home network outlined, so to speak, and then get to the point where we talk measures against these hackers. So let's move on to scenario three. And this is my favorite one, actually. This is such a weird situation. When I first read about this, it wasn't about being there. It wasn't about actually being there and being connected to be able to hack a car, a connected car. But this was about some drones, actually, right? If I got it right. Shannon, please no, you did.
[00:15:02.880] - Shannon Miller
You absolutely did. So this is regarding tesla has been in the framework of our lives for a few years now. Self driving cars, automated driving, things like that. So they're kind of at the leading edge of the electric car movement. And one of the vulnerabilities that some very smart hackers discovered was a vulnerability in the car lock feature. So they were able to hack into the vehicle, access the vehicle remotely by using a drone and a WiFi dongle hanging from the drone. So they had the drone above the vehicle, above the Tesla, and they were able to unlock the car, and then they were able to gain remote access to the vehicle. So once they discovered, once they could unlock the car, they could also unlock some of the features of the car. And so they reported these vulnerabilities to Tesla, which they then patched. But the idea that somebody could hack your vehicle remotely and never physically be in your garage or in your driveway or near your home, all they need is a drone that has range and a WiFi dongle and they can hack your WiFi network, hack your car and take remote control of your fuel supply, of your steering wheel.
[00:16:15.680] - Shannon Miller
We've seen that happen. They could shut your vehicle off. So these are some of the things, like, as a result of that one thing that other car hackers are thinking about, how can we remotely access this vehicle? I mean, I'm just thinking of the horror scenario of driving down the highway and my car shuts off. So that's not something I think anyone wants to think about. But now we have to because cars are also computers, too.
[00:16:38.510] - Stefan Killer-Haug
And now we are talking real cases, right, Shannon? This is not just some imagination or some scenario that could be, I don't know, in 2050, because cyber threats are getting more sophisticated. We're talking about cases right now. Yes, this is actually going to happen if we don't step up our cybersecurity game.
[00:17:03.370] - Shannon Miller
Correct.
[00:17:05.130] - Stefan Killer-Haug
That's really a spooky world right now, if you ask me.
[00:17:10.480] - Shannon Miller
It is a little terrifying. Yes.
[00:17:12.810] - Stefan Killer-Haug
And I think it's so spooky because we are so connected also with the private life. So once we're talking connected cars and infotainment systems, for example, we are also talking about leaving credentials actually everywhere. And also in your car, maybe it's a company car even. I'm sure there are some people out there not even caring about what could happen in a car because you're mobile, right? It's something for mobility, and you wouldn't necessarily connect it to your home network or in terms of your way of thinking, maybe. But what you should keep in mind is that it's connected to your cell phone, for example. And then it could be connected to your spotify, to your Netflix, you name it, your bank account. You could also probably shop from these devices you use for your mobile life, so to speak. And therefore we should always keep track of how encrypted information flows really are, how you can enable maybe multiple factor authentication. There. We're talking about some measures that are already, I think, industry standard but not for all applications and therefore and not for all systems and therefore I think security design is what we should keep in mind with each and every IoT device and connected device we are about to buy, so to speak or about to use also in a work environment.
[00:18:43.990] - Stefan Killer-Haug
So now we have the connected car. Let's see what we have next. That's also one of my favorites, hackers little helper. So we've talked about mobile devices, but we haven't talked about hackers little army, so to speak. So once we are connected to one network with several devices, there is the possibility for hackers to have their infiltrated army in your home, right?
[00:19:16.690] - Shannon Miller
Yes, I think I mentioned this towards the beginning, but we were talking about internet of things devices, IoT, smart devices, smart watches, smartphones, smart toasters. It could even be something as simple as your router and modem that we haven't secured properly because that's the base layer of our security is ensuring that we have good encryption on our home network to begin with and if we have segmented networks making sure that we have the same level of security on each. But most of the time we connect our vulnerable IoT devices to a perhaps vulnerable network because we left default credentials and passwords. So some people, maybe many end users don't change the password on their actual router or modem. And that's one point of weakness and it's an easy one that a botnet, for example, like the Marai botnet could scan your IP address because your modem and your router are connected to the internet. It scans your IP address looking for a weak point. So if your default credentials are there, it's an easy win for them. Once they have access to your router or modem or once they have access to your toaster, they can then turn that device into a bot and then infect other devices on your network with the botnet.
[00:20:27.790] - Shannon Miller
And then what that means is you now have a botnet army which for people who are not super techie, or if you are super techie, you know that that can then spread malware through all those devices and globally connect it to other botnet devices.
[00:20:42.510] - Stefan Killer-Haug
And what's more, if you're thinking about of course, refrigerators, toasters, all smart devices, they are usually not it's behavioral data, actually, or machine data and not like these super sensitive personal data. But anyhow it could also work for each and every monitor, each and every display to be part of this IoT botnet. And when I'm thinking about again, security cameras, for example, these cameras would spy on you and maybe also some personal data like the next insurance contract or something just lying on the table. It's just one zoom then and it's all there. You have the data, you have the behavioral data, you have the sensitive data, maybe you have the health data. So actually then we're talking about something like even identity theft, right? Yes, this is what you've just mentioned. It's first and foremost probably about the router. We keep probably talking everywhere. We're talking about mobile devices, actually. This is a stationary device in the usual use cases, so to speak, and therefore we tend to abandon it once it's set. But we have to keep in mind that data breaches, it's a little computer, actually, and data breaches can come with every computer.
[00:22:14.890] - Stefan Killer-Haug
So can you give us some advice on the audience, on how to secure, how to make it safer also when it comes to or how to make it a habit to have each and every device secured? Because I think it's not only about different passwords using different passwords and updating passwords. This is about more, right?
[00:22:40.450] - Shannon Miller
It is. But passwords are a good place to start because even as people who work in security, and even as people who try to be safer, we sometimes do a one and done, or we reuse similar passwords on other devices. So I will address password hygiene, having unique, strong passwords for every device. So maybe use a password manager. And also if you have encryption available on all of your devices, use it. Now, a lot of IoT devices don't have that. But you can have encrypted email, you can have encrypted documents because you may be signing documents on your phone, for example. So if you have encryption available for your mobile phone, use encryption. If you have encrypted messaging, use encrypted messaging. If you have encrypted notes, use encrypted notes. Now, not everything is going to be solved by encryption, but it definitely makes it and there's different types of encryption. I'm not going to get into stuff, but the better and more secure you are from the beginning when you're thinking about the things and the devices and the apps that you're using, and using caution with what you put out there, that helps a great deal because you're not going to be low hanging fruit.
[00:23:43.980] - Shannon Miller
Everything that you do to secure your device a little bit better means that you're less of a target for somebody who's looking for an easy win. And that's usually what scammers and hackers are after, is something easy. Sometimes they want challenges, but by and large they're money driven, blackmail driven, credential driven. So double check your privacy and safety settings. Make sure you have good security software if you have it available, whatever you're using. Bitdefender windows. Defender if you're on Linux machines, use what's available. Consider using a VPN if that's available to use. I know for some work purposes, businesses require VPN use to log in. You want multifactor authentication as well. That's another step you can take. If it's available, please use it. It will make it harder. It's not a perfect system. Nothing about this is perfect. Nothing about security is perfect. And if we can make it easier, that would be great because money loves speed. We'd rather have money than security. And we make trade offs for that. And one of those trade offs is potential identity theft, possible credential stealing, loss of device use, things like that. So I think I mentioned security software, encryption, double checking, VPN, and then your privacy and security settings.
[00:24:58.760] - Shannon Miller
Sometimes companies will update their privacy and security settings, their security protocols, make sure you know what your company's policies are, as well as checking to make sure that your own personal social media accounts, that of your children and your family, those are also points of vulnerabilities. So if you feel like you need to set them to private or to take better care of your social media by using multifactor authentication to secure your accounts, that's another way you can be a little bit safer. And then the last thing I'll mention is checking to see which of your accounts has been involved in a data breach. Because often that's the first point of contact a hacker will have with you is your email address. So if you use your Google address, email address, for example, for a lot of your logins, for your cable or your WiFi bill or your phone, if they have control of your email account, they will have access to everything else about you. So those are the things that I would consider at least as a starting point. But easy wins. We like those.
[00:25:58.580] - Stefan Killer-Haug
Oh, yeah, thanks for sharing. And we will have several other ones to be shared later on because actually this was one of the housekeeping notes of the beginning, but we're good in time, I think, at the moment. So let's have a little housekeeping edition there. We will have the materials and of course the recording session shared with the audience and everybody who couldn't make it or left because of my little attendance problem from the beginning. And we will also have like, let's make it a top ten tasks to perform right away. We will have this also with the audience to get you going to secure your hybrid workspaces. But that's just for some more housekeeping notes. And before we move on to the Q and A session, there are some questions in the thread here I can see, and we will get to them in a bit. But what I'd like to talk about is about the interference, so to speak, when it comes to your professional and your private life and identity theft. So how could a scenario so the worst case scenario, for example, look like so there's a hacker getting in. It's about the credentials of the router.
[00:27:25.380] - Stefan Killer-Haug
The router controls everything else. So each and every device is also affected. Now, what is then happening in a regular Shannon Miller case? Is it really about all your private life all your professional life or how can we imagine such a case?
[00:27:50.070] - Shannon Miller
It's about Mitigating once it's happened, and it's not a matter of if it will happen, it's a matter of when. So understanding how to layer your security, understanding where you're vulnerable, double checking, even if it's just once a year, where you go through your accounts and ensure that you have multifactor authentication, you double check your passwords. I know not everyone's going to change their passwords every 90 days. I understand that what we're talking about is, what can we do that's an easy win. What can we do that will make it simpler for our kids to be safer? If you're working from home and you have children and making our workplace safer, this is not about perfect, like, perfect scenarios is not about perfection on anything. It's about making it easier and more accessible. And I think we kind of tend to silo information about security and we tend to make it more complicated and use big words. But if you go back to the basics of the things that we've learned and we've discussed in this, all of those things can help keep you safer and help limit or prevent full identity theft. Now, if it does happen to you, every country handles it a little bit differently.
[00:28:56.720] - Shannon Miller
I know a lot of people here will get credit freezes and credit monitoring, and when I say here, I mean United States. But in Europe, you have much stronger data protection and privacy laws. So when something happens and you get a data breach, the company gets sued. Here, the victims aren't really helped by anyone. They're accepted to do it on their own. So that can be very confusing and it can be very scary. So Mitigation is really the best way. It's not perfect, but we're doing what we can.
[00:29:26.710] - Stefan Killer-Haug
So thanks for sharing. Mitigation is also a thing organizations could keep an eye on, is what I anticipate. Now also, for probably each and every company in the US. As it's about workers being left on their own, it seems like this is the case when you're talking about this, this is probably not just in your cases, but all the cases you're dealing with, but also everywhere else probably. So this is, I think, about what we do. I think these days, most European countries with GDPR compliance. So I'm a trained data protection officer myself, and from what I know, from the tech side of life, so to speak, this is really if you are insecure by design, so to speak, this is really a long journey to go. You have to be aware of what your colleagues are using. Actually. First have an overview, and then you have to make it secure, like at each and every touch point, so to speak. But this is something that we share probably with each and everybody around the world. It is also about awareness. So you should make people aware. Before you tell them what to do and what not to use because they are used to having comfort usability and you name it.
[00:30:56.690] - Stefan Killer-Haug
Right from the beginning it was about we had this what was the claim? Be fast and break things. Yeah, that was the way to go.
[00:31:04.130] - Shannon Miller
Obviously, that's the Silicon Valley way, every product, every device, every social media network.
[00:31:11.430] - Stefan Killer-Haug
And because of this, I think it's difficult to have it another way these days, actually. You need it. You see the number, you see the breach numbers, you see the fees when it comes to GDPR compliance, for example. But still people are using what breaks things still, actually. And it's not that easy, I think, to identify the services and the products out there, the digital products and services out there that are secure by design, that are encrypted end to end encrypted by design. Or there's encryption that has flaws or maybe some backdoors, maybe and this is also what we're talking about in politics these days. It's about backdoors for end to end encryption and from a spreadsheet point of view as we're end to end encrypted cloud Services provider, of course this is something we cannot do. So this is about zero knowledge. You can be sure about your data being secure once we don't know what you are sharing. Actually, and this is what I wanted to get to, actually, once there's no data to be shared or once you're hacked and this data is encrypted, it's like you're getting salad. You're getting like worthless data you cannot use.
[00:32:37.380] - Stefan Killer-Haug
And this is why, since I've been working at Tresorit, the more aware I am, despite the fact that I worked as a data protection officer before, it's about really end to end encrypting your sensitive data at least. So be aware also in a hybrid workspace. And this is what I'm trying to say, and this message is, I think the most important one for the audience too. Every time you think there could be some data involved that is sensitive and we're talking about also critical business information like NDAs for example. Once you're sharing your NDA and you should sign it and whatever, and you're using email, make sure to encrypt it. Make sure that also attachments are encrypted because encryption for email is not encryption for email every time because it's not about only the content of the email, but also the attachments. And therefore I think we're on the same page there. Use VPNs, use encryption, heavy encryption and heavier updates in place. This is also I learned it even from the healthcare sector. So I don't know if it's the same in the US. But even in Europe there are hospitals not updating their Iumt devices, so their Internet of medical things devices and therefore there's hex there's hex going on in hospitals and put lives at risk.
[00:34:07.710] - Stefan Killer-Haug
It's insane how many touch points you can have there too. But I don't know, have you been in touch with some medic cases also when it comes to data breaches in the US.
[00:34:21.360] - Shannon Miller
Well, I used to work in research and analysis specializing in It healthcare, specifically electronic data records. So I'm intimately familiar with the risk of health data being breached and or vulnerable. So when you're talking about electronic data records or health records, you're also talking about pacemakers. These devices can also be WiFi connected. There was an incident in one of the major hospitals here. I can't disclose which one, but the device was actually in the patient's chest cavity and somebody hacked the device so they had to replace the pacemaker because they shut it off. So that's a very small example of what can happen to you if you rely on that to live. Then it's basically I don't want to call it like a kill switch, almost, if we're relating it to technology terms. So we're also talking about ransomware in hospitals, basically shutting down the hospital and their ability to use the machines that are connected to the internet. A lot of health devices are so we've seen examples of that where the lives of patients have to be transferred to ensure that they can live or use the machines that are keeping them alive because the hospital has ransomware and they have to turn everything off.
[00:35:40.060] - Shannon Miller
So there's a lot of scenarios, horror scenarios in the It sector, but I feel like that's a bit far afield from where we want to go at the moment.
[00:35:48.690] - Stefan Killer-Haug
Oh, yeah, of course. And don't get me going with the supply chain topic and whatnot, but just.
[00:35:53.920] - Shannon Miller
From a personal example there you go.
[00:35:57.730] - Stefan Killer-Haug
I think this is another chapter then.
[00:36:00.340] - Shannon Miller
It is totally a different chat. I know there's a couple of questions still that they wanted to get to.
[00:36:05.090] - Stefan Killer-Haug
Yeah. And I think we should get to them. Let's move on to the Q and A session. This was a really nice talk and I think we have a good overview and we got people started with the questions and to start with an easy one, maybe. Oh, easy one.
[00:36:20.830] - Shannon Miller
Easy.
[00:36:23.930] - Stefan Killer-Haug
One. It's an easy one in terms of it's straightforward, so to speak, because there is a question from the audience that says, is securing the router sufficient for protecting IoT devices if a firewall is in place? And I think this one is interesting because it's about securing only one device to secure all devices. What's your classification?
[00:36:51.730] - Shannon Miller
I'm going to say it depends, and this is an answer I hate, but I give a lot because you can secure the one device and still have some other devices vulnerable on the network. It depends on how you've secured your network, even if you have a firewall. It just depends on the level of gumption. Let's say that the hacker has about what they're after and why they're going after you. In my case, if it's a harassment or stalking case and the person happens to be a hacker and going after a specific target. If it's targeted harassment, which I deal with a lot, and you have a group of people doing this, then I would say just because you have a firewall, just because you have good credential management and password hygiene, just because you have mostly secured devices, does not necessarily mean your network will be secured. So that would be a very specific case. But in general, I would say if you have a firewalled and well protected system, you're probably better off than most people. If that answers your question, I hope so.
[00:37:53.060] - Stefan Killer-Haug
And what's more, maybe an addition. If it's a question mark, I think you should always try to look at each and every device first. If there is some security by design measures, for example, you can be at least sure that this is going to work with your IoT at home too. So one tip would be always make sure before you buy to take care of looking at the prerequisites of the device, maybe, and also the company, because this is not only about the situation when buying, so to speak, but also the update culture of a company. There are many companies out there that don't even offer patches, for example, for vulnerabilities, even though it's like eight months that the data breach was public or whatever. So I think you're doing great once you're trying to implement only security encryption, privacy by design devices. But I know it's quite difficult these days because most of the time not the most important part of manufacturers, but we will get there someday, I hope.
[00:39:16.130] - Shannon Miller
Just one thought that came to me on this is I have known somebody and this is a security person, so they tend to be a little bit more snappy when it comes to understanding how to set up multiple or segmented home networks. I know we have a question about that, so this will lead into that. But they set up all of their IoT devices on a separate network from their home network. So all their network, home network traffic for their laptops, mobile phones and tablets was separate from their IoT network. Now they could manage the IoT devices. So if there was, example, a botnet attack or an infection, it wouldn't infect the devices on their standard home communication network, but they had a totally separate network they were kind of messing around with to see what was vulnerable, to see what was targeted. So that's one option. But again, not everyone has the bandwidth or the monetary ability to do that.
[00:40:07.650] - Stefan Killer-Haug
Yeah, this is what I was going to say before, actually when we briefly talked about segmented networks, because the question is quite frequent here in the open question, so you answered it halfway, so to speak, I think, for some. But this is always something one has to discuss with an It admin, I think, because the infrastructure is a point there and of course this is also about training. So the employer should implement a program actually making people aware, train them how to use devices at home and have them briefed on the I think it's like a code of conduct, so to speak, for working from home or something. Something like this should be in place and the It admin and probably the executives are to implement then an infrastructure first to be able to have these segmented networks. But I'm not a professional on this. This is just what I learned from my jobs. In my case, it always was just about the information flow. Actually it was about the data protection. But this is also about device protection and network protection infrastructure. So this will be my guess. Talk to your It admin, talk to your executives about this.
[00:41:39.310] - Stefan Killer-Haug
If the need is there for hybrid workspace situations, it's always a matter of company culture too, right?
[00:41:47.810] - Shannon Miller
Well, yes, and there's a lot of self employed people, there's a lot of small businesses or boutique companies that maybe can't afford an It person and maybe don't have the training themselves to implement a segmented network at home. So I hate to say that YouTube is the teacher of all of us, but sometimes it's up to the person at home to secure their network and to segment their network and to put their business devices on a different network than their home devices and to use the same level of security, if not more for the business practice because that means you are liable if something happens. The company then becomes liable for those devices and what's on them. So if you're thinking about it from a legal perspective, you're actually better off if you can segment your network and if your company is willing to help fund it. But again, if you're a small business operation and you don't have the bandwidth or the funding to do that, it's going to be up to the individual end user to know how to do that. Anyway, enough about network segmentation. I know there's more questions.
[00:42:45.510] - Stefan Killer-Haug
Yeah, there's more questions and one question is about I think it was about invoice data. Yeah. So I just read it out loud. Can you speak to the issue of many companies that send out invoices that have their electronic payment information? So like bank routing wire and account information in plain text on the face of the invoice?
[00:43:13.150] - Shannon Miller
That is not great, to put it mildly. That's my nice way of saying please don't do this. I know this is not coming from a place of judgment. This is coming from a place of you are now making your company information connected to you and your business vulnerable. And once we have your bank and routing numbers, we can have everything. And what most scammers, what most phishing attacks are after is money committing fraud, bank account, credit card theft, all of that, even business side. So once they have your corporate information that's just another way for them to steal competitor secrets, to steal company information, to steal funds from. We call that embezzling or fraud. So please don't put your bank and routing numbers on your invoices. Please protect those that's highly sensitive information that should not be in plain text on any document, in my opinion.
[00:44:13.170] - Stefan Killer-Haug
Yes, I want to add one tiny aspect of information on this too. In general, be as minimal as you can with information. So actually this is one pillar of GDPR. It's about minimization. So once you don't have to give some information, don't give it. This is also about the same thing with each and every service provider. Service providers should only get the information they really need to maybe identify persons in a business environment. So this is about companies working with companies, for example, you have to have some trust there that the company really exists, for example. Otherwise this will be another flaw. But if you're a private person, if you're a freelancer, if you're a small, a medium sized business, you always have to keep in mind what data you want to share with external, internal stakeholders and also with your service provider. So you don't need to give your this is just a marketing scenario of course, but you don't always have to give your phone number for subscribing to a newsletter. But I've seen it all. So therefore, once people are trying to get your information, try to be as minimal as you can.
[00:45:37.720] - Stefan Killer-Haug
And yeah, probably it makes sense to have a look at the prerequisites outlined in the GDPR. It's quite interesting from a data protection point of view. Let's say what is okay, what is needed in some places and what you should probably skip or maybe you should talk to a company if there is another way when it comes to digital information flows. Now we're running out of time. A bit, I think. But we can get to one more question. There is another question on best practices. So maybe you can share your best practices and as it says when it comes to test the implemented security measures from a quality assurance perspective. So this voice from the audience likes to read more on this, but maybe we can also have a short talk on this. So when it comes to quality and quality assurance and quality assessments and security measures also when it comes to products probably, what can you share in terms of best practices for information security?
[00:47:02.630] - Shannon Miller
That's a loaded question. That's a very broad question. With that enough time to answer, I would need more context in the question of what specifically you're referring to in terms of quality assurance. Like are you testing internal systems, are you testing home networks? Are you testing what are you looking for? I guess that would be my better. So I'd have to follow up on that because I'm not exactly sure what kind of answer they're looking for and I don't want to give bad advice.
[00:47:32.770] - Stefan Killer-Haug
Yeah, sure. From what I thought when I first read it, I thought about maybe security being part of quality, so to speak. So there is an ISO, for example, also on this, when you look in quality management, there is always a part of security in there, for example, and most of the time it's similar things like with the GDPR compliance. So therefore make sure you have your technical and organizational measures in there because it's also part of the quality of a product in terms of tech at least. So I can only speak for the tech side of life as I've been working for the 3D printing company also and we had it there and quality assurance and quality management was a big part of this. And also in health tech, of course, this is a big part of it and you have to have these measures in place, otherwise you won't be able to succeed in the market in some cases. And I don't know this case, of.
[00:48:40.890] - Shannon Miller
Course, but if you right, like if they had indicated an industry, I could say there are specific organizations that may have like a quality standards checklist or if you need to be NIST compliant ins, that's a US based thing. But if you need NIST compliance standards, that's a different thing. So it just depends on which standard you're trying to comply with and what your company policies are in terms of the industry that you work in, what that would be measured against and how you would test it.
[00:49:08.220] - Stefan Killer-Haug
Yeah, and of course we will have another look at all these questions that remain there and probably also this, maybe we can reach out again, maybe this user can also ask it in the reply section, for example, of the webinar or whatever, but I think we have to close this now. It was really nice seeing you again and a really nice talk. I think we've learned a lot today and yeah, as I've said, this is a recorded webinar so we will share it if you like. We will have it on our YouTube channel as well and we will try to curate it or we will curate it in the next weeks or months. I don't know how long the series will be, but at the moment it's accepted quite well. So we will have another one maybe also with you, Shannon, if you like. At some point when we're talking about supply chains or whatever.
[00:50:07.410] - Shannon Miller
Don't get me started. I have so much to say about supply chain.
[00:50:12.370] - Stefan Killer-Haug
But the Next webinar and feel free to attend this too. Is it's about end to end encryption? And actually, this is one thing we are doing at Tresorit, but there are always ways of security measures that can be in a bit wrong. So our sea level professional, who is also an cryptographer, so he's from the field, he would talk about how enter and encryption took over the world, but doesn't always deliver on its promises. And this is on May 3, so feel free to attend. To register and attend. The registration link is in the slides. I think if I got it wrong, we also share these with the attendees today. And of course, this is about thanking you, Shannon. It's about thanking for all the questions, for all the people in the audience. I hope you had some fun and learned a bit from our webinar and feel free also to take a look at, as I said, our YouTube channel and of course, lock down your life. The website is also in there. So thank you again and we meet probably a second time at some point of time, hopefully. So take care. Have a nice day.
[00:51:39.630] - Stefan Killer-Haug
You. And yeah, this is goodbye, I think.
[00:51:43.970] - Shannon Miller
I think so. Thank you.
[00:51:46.230] - Stefan Killer-Haug
Thank you.