Carbon footprint calculators and their cyber security risks
Updated: Jan 5
With more businesses taking initiative to be more environmentally sustainable, carbon footprint calculators and sustainability consulting firms are becoming a popular way to measure impact. We believe these platforms have a lot of value to offer, however, we are also curious to examine these platforms through a security lens.
The value these calculators offer is substantial. It allows a business to measure their impact (measured in CO2e), using information such as heating costs, travel expenses and their supply chain. These calculators are able to cleverly digest this information to show our impact, and even see how we are performing within our industry. They are a great way to help companies meet targets set by the UK and the United Nations Sustainable Development Goals (UN SDGs), and lead us towards a more sustainable future.
As a result, we looked at a handful of carbon calculators to understand how they operate, and the information they collect. With this knowledge we aim to offer a piece on some threats that are common with website platforms and what you can do as an organisation to ensure strong security.
Company data usually collected:
Carbon footprint firms need to collect a broad and deep amount of sensitive company information in order to make their analysis and set targets. Within most of these platforms the information collected includes:
Size of facilities
Company expenses such as business travel, transport / freight, capital goods and more
Carbon footprint (measured in CO2e) for each company, and, how many carbon offsets have been purchased
In some cases, copies of profit and loss statements for each client
Cyber risks impacting carbon footprint calculator firms
Almost all data breaches result in the organisation suffering some form of financial loss and reputation damage.
Financial losses are typically caused by loss of revenue (for example if an ecommerce website is unavailable), incident investigation and/or legal costs, repairing systems etc. Very rarely, breaches can include financial losses resulting from regulatory fines. That said, the UK regulator (ICO) very rarely impose fines unless there is clear evidence of negligence.
Reputation damage is a bit harder to quantify, but a bad breach can typically lead to a loss of customers, stakeholder trust, share price and so on.
Below are the most relevant types of security breaches for carbon footprint calculator and sustainability consulting firms:
1. Loss of sensitive client information, caused by a stolen password
This is a huge one. Stolen passwords are a super common entry point into your system. When an attacker has your password, it’s the digital equivalent of someone with criminal intent having the front door key to your house.
When talking about stolen passwords, we often see passwords being taken from previous data breaches and used against our online accounts. As a lot of us use easily guessable passwords, these have been seen in numerous data breaches previously. This way, criminals don’t need to “hack” us at all, as they can work from a list of “common” passwords already exposed.
Another way they steal passwords is through phishing. Phishing essentially involves tricking a user through a fake email (disguised to be legitimate - for example a connection request on LinkedIn), to obtain sensitive information such as a password.
How can this be used against carbon footprint calculator firms?
Firstly, an attacker would be able to access your cloud storage, allowing them to navigate through the environment. They may then use this access to view, steal or delete sensitive information stored such as client’s financial information. Financial gain is almost always the motivation of criminals, so they will use the access and information to extort firms into paying them to keep quiet or get the access back.
Secondly, carbon footprint calculator firms usually give clients their own login to the platform so they can record their scope 1, 2 and 3 emissions amongst other information. If a client chooses a poor password, they are leaving the door open for cyber criminals to compromise their account. A criminal could then threaten to publish the information against them in return for an extortion demand.
Lastly, your reputation may suffer damage as a result of a breach. We tend to hear about the big breaches that occur, these usually make headlines in the press. However, reputation damage can occur at any size. If client information was exposed, this may place a strain on your relationship. Why the breach occurred, what you did to respond and what was lost can be a major factor in a strain of the relationship. One of our clients recently told us her worst nightmare would be ringing her own clients, and telling them she’d lost their data.
Solution 1: engaging security training
Staff training on phishing attacks is a great way to ensure your company becomes vigilant in spotting a phishing email. If you want to test yourself quickly on a phishing test, we recommend checking out Google’s phishing quiz. Of course this is a way just to gain a quick insight, a strong training program should be adopted to educate your staff in an effective and honest way.
Solution 2: good password practices
The second piece of advice we would give you is make sure you are creating strong, unique passwords for each account you have. To avoid worrying about remembering passwords, we recommend utilising a password manager - Find out more about these here. This way, even if one account is stolen by a cyber criminal, your other accounts won’t be impacted as they have different passwords.
Also, to check if your passwords have already been compromised, visit haveibeenpwned. You can also use this to check for compromised emails and phone numbers. If your accounts have been breached, we recommend changing your password immediately.
Using multi-factor authentication is always a good idea to provide an extra layer of security for your most important accounts. And, in our opinion, carbon footprint firms should offer multi-factor authentication to their clients in order to access the platform.
2. Poor coding of web app leading to a data breach through unauthorised access
This is especially relevant in the case of carbon footprint calculators. As you operate as an online platform, a lot of coding will have been done by your development team. The coding itself will need to be rigorously tested to ensure it does not have any security holes or weaknesses.
If your platform has a coding weakness, this is essentially a hole that an attacker can exploit to gain unauthorised access to your platform.
Once in, attackers can perform activities that disrupt your business operations or simply steal sensitive information, leading to direct financial losses.
Obviously, this will also cause a reputation hit. The attack may be heavily reported and it’s rare to see cyber attacks challenge the “all PR is good PR” school of thought. That said, a good cyber response and communication plan will help reduce the reputation damage caused.
Solution: security scans
Vulnerabilities can be found through conducting a vulnerability scan of your environment, which is an automated way conducted by software to look for known vulnerabilities. Alternatively, you may look into conducting a penetration test, which is conducted by a specialist to try and detect and exploit weaknesses and poor coding practices.
Furthermore, ensuring that your systems and software have automatic updates enabled is one way to ensure that you are reducing the likelihood of vulnerabilities.
Carbon footprint calculators are a real help to us organisations trying to do good for the planet. This article aims to return the favour by helping you think about your cybersecurity. We want your platforms to be as secure as possible. Cyber attacks can be devastating, and unfortunately are becoming more of an issue. It’s something we will never be able to fully eradicate, so we have to stay sharp with frequent and emerging threats.
The methods highlighted are just prevalent causes, many more exist. Fortunately, there is a lot that we can do to adopt stronger security. We hope the solutions will help with just that. Remember, there are many different approaches to security, however, we recommend a balanced approach which includes people, process and technology.
Security doesn’t have to be hard, it just needs to be consistent and fit your organisational goal and purpose of helping our planet.
If you don’t know how secure your platform is, we recommend carrying out a cyber health check or cyber essentials review as a first step. Many cyber security firms offer such services to identify security weaknesses and help you build an improvement plan.
If you need any assistance from us, feel free to contact us.