5 minute read

Navigating Cyber Insecurity in the Business of Lighting Design

Designer Jill Cody Shares Details of Cybersecurity Attack

By Randy Reid

On April 23, the Business of Light hosted a webinar entitled 'Got Cyber Insecurity? Fortify Your Business's Digital Domain.’ The event served as an eye-opener for lighting professionals who may have hitherto paid little heed to the creeping shadows of cyber threats. This 90-minute BOL session was rich with wisdom from a cybersecurity expert as well as a sobering tale from an industry professional who faced the digital tempest head-on.

That person was Jill Cody, Principal, Dark Light Design, whose experience with cyber intrusion became the central case study of the event. Jill’s business had suffered a sophisticated cyberattack that served as a stark wake-up call to her organization.

Jill explained that she thought cyber criminals only targeted large companies, but as the crime unfolded she learned that small companies, like Dark Light Design, are easier targets because they don’t have sophisticated cyber controls in place.

It started with an insidious email, likely a phishing attempt that targeted her business manager, an employee known for her meticulous nature, suggesting the sophistication of the attack. Despite robust security measures in place, including multifactor authentication, the digital assailants found a crack in the armor. Jill discovered the breach when a client called to inquire if Dark Light Design had changed their banking information— they had not.

Jill's immediate response was to inform her contacts. The revelation that sensitive data was exposed indefinitely added to the angst, stirring fears akin to the vulnerability one feels after a home burglary. This was not just a technical crisis; it was a psychological one.

Two exhaustive days were dedicated to containment and remediation, all billable hours lost in the scramble to secure what was left and to understand the depth of the breach. Jill's brother, an IT professional, quickly mobilized the necessary tools to combat the breach.

He was able to trace the events. The thief gained access to their SharePoint account and could see banking, billing and client email addresses, among other things. The thief then sent emails from the business manager’s account to clients stating that Dark Light was changing their ACH information. If the client would have emailed the business manager to confirm, it is likely the email would have been intercepted by the bad guy. Jill said that if they had not received that phone call from their client, the scam could have gone on for months before it was discovered.

Fortunately, no money was lost, but the hacker did download some sensitive banking and employee data. Those affected were notified and offered credit monitoring.

This incident resulted in Dark Light being much more discerning about which information needs to be retained. Jill stated, “Now we have a little clause at the bottom of our email that says, ‘This message originated outside of Dark Light Design,’ so if the email is an employee spoof, we can at least know that it came from outside the company.”

No funds were diverted, and the payroll—though perilously close to being affected—was secured. The threat actors had seemingly gained access to an exclusive point of vulnerability: a singular user account that Jill and only two others accessed. Mercifully, the damage was limited; client data remained untainted, safeguarded on a hard server.

In the aftermath, the clarity that emerged from chaos was invaluable. Jill's philosophy on cybersecurity shifted—over-authentication became a trivial inconvenience against the backdrop of potential threats.

The next speaker was Darin Perusich, the Cyber Security Manager of CannonDesign. His company has about 1,250 to 1,300 employees, and he spoke of best practices. It was smart of BOL to contrast both small and large companies. Below are some of the best practices Darin mentioned:

• Have separate emails for business and personal and never mix the two.

• Never use the same password twice.

• Use 2-factor authentication.

• If a password must be between 12 and 24 characters, choose 24 characters.

• Use a dedicated password manager for everything (CannonDesign uses Dashlane).

• SharePoint is not a good mechanism for saving your passwords.

• Use a Microsoft Authenticator app or Google Authenticator app as an extra layer of security. This means that in addition to your password, you'll also need to enter a code that is generated by the Authenticator app on your phone.

• Recommends anti-malware, anti-virus, anti-ransom software on Macs as well as PCs.

Darin explained that he has about 3000 passwords and doesn’t have any of them memorized as his password manager handles everything. He also warns that service providers are notorious for giving out SIM cards to people who say they lost their phone. He recommends calling your provider and setting up a special 4-digit PIN in order to receive a replacement SIM card.

On a personal note, like Jill, I have thought that the EdisonReport Media Network was too small to worry about cybercrimes, but after this very informative BOL webinar, we are going to take a strong look at our cybersecurity.

Perhaps you should, too!

This article is from: