Because maintenance technicians are always on-the-move, they’re particularly vulnerable to threats from hackers. When a cybersecurity policy is implemented, it must include awareness measures and training in addition to technical deterrents.
Data leaks at hotels, ransomware attacks on hospitals…recent news confirms that hardly a day goes by without a case of computer hacking being brought to our attention. And these are only the ones that get media attention. Most incidents remain secret so as not to tarnish the reputation of the company that was attacked.
Without falling victim to paranoia, the risk of exposure is real. Between distributed denial of service (DDoS) attacks and concerted or advanced persistent threat (APT) attacks that combine social engineering techniques with exploitation of information system vulnerabilities, the threats are increasingly complex and multifaceted.
The profile of attackers has also changed. There are no more “nice” hackers challenging themselves to be the first to break into the best-protected information system such as those of the National Security Agency (NSA).
These geeks have given way to groups of cybercriminals who are motivated by greed and will launch ransomware attacks to extort money or use phishing techniques to monetize stolen data on the “dark web”. These people have moved from committing crimes in real life to committing crimes online, only with fewer risks.
Humans are the weak link in every cybersecurity policy
Most attacks start with humans, the weak link in every cybersecurity policy. Hackers widely use so-called social engineering techniques to exploit human weaknesses and extract key information.
Some employees make it easy for hackers by choosing a default password, using 123456 or writing their password on a post-it note stuck to their screen. That’s why it’s so important to remind people about secure computer practices at regular intervals. Governments and private cybersecurity companies also regularly publish information to help people understand what it takes to create a strong password.
Phishing is still the most common cyberattack technique. In this case, the person receives an email that invites them to click on a link or open an infected attachment. Once it is on the employee’s workstation, the malware is free to spread throughout the corporate network.
Personalize awareness based on profiles
Because traditional training courses have shown their limits, companies such as Conscio Technologies offer a playful approach based on videos, quizzes and ultra-realistic scenarios. The Conscio approach makes it possible to simulate a phishing campaign to assess the number of employees that are likely to fall into the trap.
It’s a matter of personalizing awareness-raising activities for the different populations within an organization by focusing on those who are most exposed — executives with business secrets and nomadic employees. When these employees are on-the-move, they don’t benefit from the same firewall and proxy protection mechanisms as colleagues in the office.
Maintenance technicians are a prime target
On-site maintenance technicians are a prime target for hackers so they must be reminded of a number of special instructions, even if they seem obvious. For example, technicians should never leave their smartphone or tablet unattended. And they should always connect to the corporate virtual private network (VPN) rather than a public Wi-Fi network.
Technicians should not use USB keys, especially if it has been loaned to them. Likewise, they should not share their reports through messaging applications or online storage services, but through secure field service management software.
To help individuals and corporations learn more about cybersecurity best practices, many governments have published cybersecurity best practices and practical advice to increase awareness about how to avoid a wide range of cybersecurity risks.
Rely on certified software
In addition to increasing awareness, there are a number of security measures to protect technicians on-site. The best place to start is field service management software that is delivered in a Software as a Service (SaaS) model and provides cybersecurity features.
The software must comply with data protection regulations. Ideally, it’s also ISO 27001 certified. This international standard for information security management systems (ISMSs) guarantees the software provider manages data protection in accordance with best practices.
On an individual level, encrypted data keys, such as those offered by Kingston or DataLocker allow technicians to encrypt and store up to 128 GB of the most sensitive data in a safe way.
Enterprise mobility management solutions improve cybersecurity
Enterprise Mobility Management (EMM) solutions are ideal to manage large numbers of mobile devices and include multiple modules:
The Mobile Device Management (MDM) module takes care of the hardware aspect, allowing system administrators to ensure that only particular devices are authorized to access company information. The MDM ensures each device complies with security policies and remotely blocks access to a device if it is stolen or lost.
The Mobile Application Management (MAM) module manages mobile applications. System administrators can prohibit users who don’t comply with the security policy from installing applications or restrict a user’s actions within an app to copy, paste and save as. The MAM module also allows administrators to monitor mobile app use and to remotely update apps.
The Mobile Content Management (MCM) module controls use of sensitive data. Data can be encrypted and remotely erased if the mobile device is stolen or lost.
Embrace BYOD and fight against shadow IT
EMM solutions allow companies to securely take advantage of the Bring Your Own Device (BYOD) trend that allows technicians to use the same mobile device in their personal and professional lives. They create a tightly insulated seal around these two worlds to reduce the risk of vulnerabilities.
EMM solutions also help to fight against shadow IT — all those applications users install on their devices but are not sanctioned by the IT department. Increasing use of the cloud has caused shadow IT to explode as users take advantage of popular online services such as Dropbox, Google Drive, Evernote, Gmail and WeTransfer.
Finally, EMM solutions allow companies to adapt their security policies based on target populations. They can define profiles for different types of users, such as on-site technicians, to give employees access to the right applications, data and device functions for their role.
The goal of all of these measures is to protect field service providers and their customers. National security agencies have noted the alarming growth in so-called rebound attacks where criminals attack their primary targets through subcontractors.