January 17, 2018

Small Business Target of Cyber Attackers

open and found an official looking link to a file sharing service (that I am familiar with) asking me to open and review the attachment. Even though this was from someone I know—and trust—the language and lack of detail just seemed a bit fishy (phishy?) to me. Instead of opening the link—I opted to reach out and verify that this was indeed a legitimate email and that a member did indeed wish me to open and review the document.

This is where it gets interesting. I occasionally get these things—as we all do—and when you reach out to verify, they are quickly exposed as the phishing expeditions they are, but in this case, I got a reply that said it was a legitimate request, not spam, please open the attachment.  Turns out—the member email was indeed hacked, they were indeed sending malicious software and in this instance, the “hacker” was responding directly to me impersonating the actual email owner.

I am lucky that I get busy—in this case, I did not see the response for a couple of days and by this time the hacker had moved on—likely to exploit someone else’s email account. The member had discovered the hack and alerted recipients to the identity theft and I didn’t “click” the link. In the grand scheme of cyber threats and attacks, email counterfeiting for the distribution of malicious software may not rise to the same level of attention as major data breaches like Equifax, Anthem, Chase, Target, etc. but the whole thing got me thinking about cyber security, and wondering, how prepared member companies were for the more and more common attacks on small and midsize business that may have insufficient protections and protocols.

How important is cybersecurity and how serious is the threat to small and midsize business, including agri-business?

According to experts like Gartner and Symantec, security researchers see small to midsize businesses (SMB) trending into the majority for attack targeting. Malicious cyber attackers typically find easier exploitation in the SMB community often due to a lack of awareness and preparation. Agriculture’s IT challenges compound this risk even further. No one is immune and the financial impact of incidents can be significant.

Many small to midsize businesses deem themselves too small to be a target and don’t consider the investment in cyber security to be worth the cost but some of the more recent statistics in this area suggest otherwise. For example, more than 50 percent of small to midsize businesses (across all sectors) have experienced some type of data breach in the past year. The average recovery cost for each breach is around $36,000. These are not insignificant numbers.

Why are hackers interested in small to midsize business? Well first and foremost—personal data that can be stolen from a successful breach has value on the (illegal) market. Social Security numbers fetch around $30, date of birth $11, health insurance credentials $20, credit card credentials $6 and the list goes on. If you have this data, you have something of value to exploit. In addition, most small to midsize businesses are not thinking about cyber security and so their protections (internal and external) may be limited and easy to exploit.  Growers and handlers, like other small business should weigh carefully the level of cyber risk they are willing to take on. Many cannot afford to be conservative in cyber risk mitigation particularly if you are handling employee and/or customer data.

“How at risk is your businesses and what would a breach mean to your brand, reputation, or economics?” To effectively answer this question you need to consider the following: What is your current level of vulnerability/risk? If there was a breach (data theft, ransom, etc) what could it cost? Are you comfortable with that level of risk? What would you need to implement and what would it cost to improve your security to a level you were comfortable with?

Working your way through those questions may not be in the wheelhouse of many small business owners. It often takes a practiced eye to spot vulnerabilities and risks. To help us understand, Western Growers has recently started talking to security experts associated with Land of Lakes who offer a robust suite of cyber security services to growers and retailers that are members of their cooperative. Their offerings include a quick, low cost estimate of risk developed through brief company interviews, a fully comprehensive, multi-week, on-site examination that includes detailed reports with specific remediation guidance and even further they can provide a virtual Chief Information Security Officer (vCISO) service that includes the comprehensive assessment and expert, credentialed CISO who will lead security remediation, policy development, training and represent state of security to leadership.

So as we all head into the New Year and an era of increasing cyber vandalism and theft, I encourage you to think through your cyber security and know your risk profile. If you are interested in outside assistance, I would invite you to reach out to me.