• Ashley Woodhall

Carbon footprint calculators and their cyber security risks

Carbon footprint calculators and their cyber security risks

With more businesses taking initiative to be more environmentally sustainable, carbon footprint calculators and sustainability consulting firms are becoming a popular way to measure impact. We believe these platforms have a lot of value to offer, however, we are also curious to examine these platforms through a security lens.

The value these calculators offer is substantial. It allows a business to measure their impact (measured in CO2e), using information such as heating costs, travel expenses and their supply chain. These calculators are able to cleverly digest this information to show our impact, and even see how we are performing within our industry. They are a great way to help companies meet targets set by the UK and the United Nations Sustainable Development Goals (UN SDGs), and lead us towards a more sustainable future.

As a result, we looked at a handful of carbon calculators to understand how they operate, and the information they collect. With this knowledge we aim to offer a piece on some threats that are common with website platforms and what you can do as an organisation to ensure strong security.

Company data usually collected:

Carbon footprint firms need to collect a broad and deep amount of sensitive company information in order to make their analysis and set targets, Within most of these platforms the Information collected revolves around company information such as:

  • Employee count

  • Size of facilities

  • Company revenue

  • Heating costs

  • Company-owned vehicles information

  • Company expenses in areas like business travel, transport / freight, capital goods and more

  • Carbon footprint (measured in CO2e) for each company, and, how much carbon offsets have been purchased

  • In some cases, copies of profit and loss statements for each client

Sensitive company information should be protected as securely as possible. Think of information that showcases a businesses finances, now these are something you would more than likely want to keep private and secure.

Cyber risks impacting carbon footprint calculator firms

The risks in cyber breaches usually revolve around suffering a financial loss and reputation damage, in this section we will expand on these two and see how a select few breaches can lead to these.

Financial losses could occur as a result, but in different ways. Firstly, you may suffer a financial loss from the breach directly. If there is an intrusion on your system or data is stolen/modified/deleted, this could have a massive impact on your operations, resulting in a loss of revenue.

Another risk businesses tend to face due to a cyber attack is reputational damage. UK telecommunications firm TalkTalk saw this when they suffered a cyber breach in 2015. This case study is a prime example of the reputational risk a business can face due to a cyber attack; The initial attack, the management of the situation and the aftermath all require vital decision making in order to suppress the damage.

The cyber breach TalkTalk suffered had devastating effects. They had suffered costs of around £60m, alongside losing a reported 101,000 customers. This breach is an example of when a company suffered huge financial losses, alongside a significant impact on their reputation.

1. Loss of sensitive client information, caused by a stolen password

This is a huge one. Stolen passwords are a super common entry point into your system. When an attacker has your password, it’s the digital equivalent of someone with criminal intent having the front door key to your house.

When talking about stolen passwords, we often see passwords being taken from previous data breaches and used against our online accounts. As a lot of us use easily guessable passwords, these have been seen in numerous data breaches previously. This way, criminals don’t need to “hack” us at all, as they can work from a list of “common” passwords already exposed.

Another way they steal passwords is through phishing. Phishing essentially involves tricking a user through a fake email (disguised to be legitimate - for example a connection request on LinkedIn), to obtain sensitive information such as a password.

How can this be used against carbon footprint calculator firms?

Firstly, an attacker would be able to access your cloud storage, allowing them to navigate through the environment. They may then use this access to view, steal or delete sensitive information stored such as client’s financial information. Financial gain is almost always the motivation of criminals, so they will use the access and information to extort firms into paying them to keep quiet or get the access back.

Secondly, carbon footprint calculator firms usually give clients their own login to the platform so they can record their scope 1, 2 and 3 emissions amongst other information. If a client chooses a poor password, they are leaving the door open for cyber criminals to compromise their account. A criminal could then threaten to publish the information against them in return for an extortion demand.

Lastly, your reputation may suffer damage as a result of a breach. We tend to hear about the big breaches that occur, these usually make headlines in the press. However, reputation damage can occur at any size. If client information was exposed, this may place a strain on your relationship. Why the breach occurred, what you did to respond and what was lost can be a major factor in a strain of the relationship. One of our clients recently told us her worst nightmare would be ringing her own clients, and telling them she’d lost their data.

Solution 1: training

Staff training on phishing attacks is a great way to ensure your company becomes vigilant in spotting a phishing email. If you want to test yourself quickly on a phishing test, we recommend checking out Google’s phishing quiz. Of course this is a way just to gain a quick insight, a strong training program should be adopted to educate your staff in an effective and honest way.

Solution 2: passwords

The second piece of advice we would give you is make sure you are creating strong, unique passwords for each account you have. To not have to worry about remembering these, we recommend utilising a password manager - Find out more about these here. This way, even if one account is stolen by a cyber criminal, your other accounts won’t be impacted as they have different passwords.

Also, to check if your passwords have already been compromised, you can check that on the website haveibeenpwned. You can also use this to check for compromised emails and phone numbers. If your accounts have been breached, we recommend changing your password immediately.

Using multi-factor authentication is always a good idea to provide an extra layer of security for your most important accounts. And, in our opinion, carbon footprint firms should offer multi-factor authentication to their clients in order to access the platform.

2. Poor coding of web app leading to a data breach through unauthorised access

This is especially relevant in the case of carbon footprint calculators. As you operate as an online platform, a lot of coding will have been done by your development team. The coding itself will need to be rigorously tested to ensure it does not have any security holes or weaknesses.

If your platform has a coding weakness, this is essentially a hole that an attacker can exploit to gain unauthorised access to your platform. The actions once they are in will just be the same malicious activity we see elsewhere, this is just another point of entry like a stolen password.

Once in, attackers can perform activities that disrupt your business operations or simply steal sensitive information, leading to direct financial losses.

Obviously, this will also cause a reputation hit. The attack may be heavily reported and it’s rare to see cyber attacks challenge the “all PR is good PR” school of thought. That said, a good cyber response and communication plan will help reduce the reputation damage caused.

Solution: security scans

Vulnerabilities can be found through conducting a vulnerability scan of your environment, which is an automated way conducted by software to look for known vulnerabilities. Alternatively, you may look into conducting a penetration test, which is conducted by a specialist to try and detect and exploit weaknesses and poor coding practices.

Furthermore, ensuring that your systems and software have automatic updates enabled is one way to ensure that you are reducing the likelihood of vulnerabilities.

Key takeaways:

Carbon footprint calculators are a real help to us organisations trying to do good for the planet. This article aims to return the favour by helping you think about your cybersecurity. We want your platforms to be as secure as possible. Cyber attacks can be devastating, and unfortunately are becoming more of an issue. It’s something we will never be able to fully eradicate, so we have to stay sharp with frequent and emerging threats.

The methods highlighted are just prevalent causes, many more exist. Fortunately, there is a lot that we can do to adopt stronger security. We hope the solutions will help with just that. Remember, there are many different approaches to security, however, we recommend adopting a few tools, practices and education.

For the UK carbon calculators looking to improve their cybersecurity, you may want to look at the Cyber Essentials certification. This is a government backed scheme aiming to protect organisations against a wide range of common cyber attacks. If you are interested in this certification, feel free to reach out, we’d love to assist you on your journey.

Security doesn’t have to be hard, it just needs to be consistent and fit your organisational goal and purpose of helping our planet.

If you don’t know how secure your platform is, we recommend carrying out a cyber health check or cyber essentials review as a first step. Many cyber security firms offer such services to identify security weaknesses and help you build an improvement plan.

If you need any assistance from us, feel free to contact us.

tiny logo