In the world of cybersecurity, they’re called “bad actors,” and they’re not just attacking corporate giants, retail chains and school systems. They’re targeting ag-related businesses too.
Criminal hackers are looking to breach your network, steal your data and compromise your operations. They can hold you hostage, denying you access to your own files unless you pay a hefty ransom. It’s not a question of if but when a cybercrime will occur, experts warn.
“It doesn’t matter what the business is or its size, the threats are very real,” said Doug Davidson, director of technology for GBQ, which Forbes lists as one of America’s Best Tax and Accounting Firms. “Today, 25% of all crime is cyber-related.”
Is your farm or winery vulnerable? If your business uses email or smartphones, it is. If your employees handle payroll, inventory, shipments and customer transactions online, it is. If your wine club conducts business via the internet, you’re at risk. In fact, anything attached to the internet is vulnerable to a cyberattack.
The primary motivation for attacks continues to be overwhelmingly financially driven at 95% of breaches, reported Verizon in its widely read 2023 Data Breach Investigations Report. It also noted the most common form of attack is ransomware, followed by business email compromise (BEC).
“Ransomware continues to be a major threat for organizations of all sizes and industries,” said Verizon.
The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities, the report added.
As vineyards and wineries increase their use of technology, they must be aware of the security controls they have in place, said Melissa DeDonder, senior manager and director of external IT consulting for Pinion, a national food and ag consulting and accounting firm.
As examples, she pointed to chemical applications in the field, temperature settings during fermentation, humidity in warehouses, all increasingly controlled by automation. Further, there’s third-party risk, where processes such as sales orders and distribution are handled through digital avenues. A customer relationship management system, with customer names, addresses, phone numbers and credit card information, is also vulnerable.
“Can your system be broken into?” DeDonder asked. “What are the risks or breaches that can happen there? How are you securing that data?”
Layers of Prevention
There are several layers of cybersecurity, but the most basic prevention starts with recommendations from the Cybersecurity and Infrastructure Security Agency, the nation’s cyber defense agency and national coordinator for critical infrastructure security.
“Using strong passwords, updating your software, thinking before you click on suspicious links and turning on multi-factor authentication are the basics of what we call ‘cyber hygiene’ and will drastically improve your online safety,” CISA said. “These cybersecurity basics apply to both individuals and organizations.”
Beyond that, business owners should know what software, hardware and important data they have. That includes computers, printers, routers, security cameras and smartphones.
“We find that most organizations don’t know what they have or where it is,” said GBQ’s Davidson. “If you don’t know what you have, you can’t protect it.”
Another cyber defense is to back up data regularly, FBI agent Brad Swenson told attendees during a “Cybersecurity 101” seminar at World Ag Expo in Tulare, Calif. last February.
“Keep three copies of your data,” Swenson said. “Two of them onsite should be on two different computers, so if one crashes, you still have another. One copy should be out in the cloud or offsite. You can put it on a hard drive and put it in a safety deposit box at the bank.”
Swenson also urged people to be careful about what they post online. Bad actors “use that information against you,” he said. “They do their research, figure out who you are, what makes you tick, then use it against you.”
Businesses should also fight cybercrime by adopting a security framework, Davidson said. He likens that to a playbook of controls put in place to identify what you have and what needs to be done to protect it.
One available framework comes from the National Institute of Standards and Technology (NIST). This government agency has developed the Cybersecurity Framework to enhance the security and resilience of the nation’s critical infrastructure. The framework integrates a set of industry standards and best practices to help organizations manage cybersecurity risks. It’s free and accessible at nist.gov/cyberframework.The
Unfortunately, businesses’ biggest cyber threat often lies close to home. Verizon’s 2023 report found that 74% of all breaches include “the human element,” with people being involved either through error, privilege misuse, use of stolen credentials or social engineering.
For many businesses, that weak link is employees, especially those who unknowingly click on a link or open a PDF file that contains malware, or malicious software, which allows hackers in.
“My No. 1 protection advice is always to educate your employees,” said Pinion’s DeDonder. “Ransomware and BEC happen because employees, executives or owners click on something.”
Cybersecurity training teaches people what to watch out for, whether it’s a malicious email link, PDF file or website. And once-a-year training isn’t enough, added DeDonder.
“It’s got to be constant and repetitive.”
Among other cyber-hygiene practices DeDonder advocates are patching, or updating, your system and backing up critical data you and your business can’t afford to lose. Then test your online security controls that are in place.
“And make sure you have enough of a technology budget to protect your business,” she said.
If your system has been compromised, you should contact the FBI, according to Swenson. He advised victims to start with the FBI’s Internet Crime Complaint Center at www.iC3.gov. The site offers a complaint form that, once filled out, will be routed to the appropriate FBI field office so the agency can start taking action.
If a cybercrime involves a financial theft, “the quicker you can notify us, the quicker we can take action to stop that money movement,” Swenson said. “If you let us know within 72 hours of a fraudulent wire transfer, we have mechanisms in place to halt it. In the instances I’ve seen, the money gets returned.”
While Davidson recommends anyone who’s had a cybercrime event to report it to the FBI, he believes the first person you should call is your attorney.
“An attorney can help do some of the investigative work under privilege,” he said. “Then call your insurance carrier if you have cyber liability insurance.”
Bottom line: Be suspicious. Be careful what you download and what you share. Make sure your business has controls in place to detect, respond to and recover from a cyber threat or actual event. Don’t let bad actors catch you unprepared.
Cybersecurity Terms to Know
Hacking: Attempts to intentionally access or harm information assets without authorization by circumventing or thwarting logical security mechanisms.
Ransomware: A type of malicious software that threatens a victim by destroying or blocking access to critical data or systems until a ransom is paid.
Business email compromise: A type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company information.
Spoofing: When someone disguises an email address, sender name, phone number or website URL, often just by changing one letter, symbol or number, to convince you that you are interacting with a trusted source.
Phishing: A targeted attempt to obtain sensitive data by duping victims into voluntarily giving up account information and credentials.
Data Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Data Breach: An incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.
Malware: Any malicious software, script or code run on a device that alters its state or function without the owner’s informed consent.
Sources: Verizon’s 2023 Data Breach Investigations Report; FBI.gov; Microsoft.com
FBI’s Cyber Safety Tips
The FBI is the lead federal agency for investigating cyberattacks and intrusions. Here are some tips the FBI offers to protect yourself from cybercriminals:
Keep systems and software up to date and install a strong, reputable anti-virus program.
Be careful when connecting to a public Wi-Fi network and do not conduct any sensitive transactions, including purchases, when on a public network.
Create a strong and unique passphrase for each online account and change those passphrases regularly.
Set up multi-factor authentication on all accounts that allow it.
Examine the email address in all correspondence and scrutinize website URLs before responding to a message or visiting a site.
Don’t click on anything in unsolicited emails or text messages.
Be cautious about the information you share in online profiles and social media accounts. Sharing things like pet names, schools and family members can give scammers the hints they need to guess your passwords or the answers to your account security questions.
Don’t send payments to unknown people or organizations seeking monetary support and urging immediate action.