by Cathy Lennon, OFA
Experts agree that in today’s connected world, it’s a matter of when, not if, a business will face a cyber security problem. Breaching incidents of all kinds, whether it’s compromised information, financial fraud or data that is held hostage until a ransom is paid are on the rise, and agriculture is not immune to these threats.
Recent incidents in our sector have affected Quebec’s general farm organization, the Union des Producteurs Agricoles, and Ontario crop input retailers who had customer lists and credit card information held for ransom. Business was severely interrupted – and the path to not just regain access to data, but the trust and confidence of customers, employees or other stakeholders is a long and costly one.
Outdated, unmaintained systems running old software no longer being updated is one of the most common vulnerabilities – and is widespread, especially in small businesses. Research by Professor Ali Dehghantanha, a University of Guelph Canada Research Chair in cyber security and threat intelligence, shows that the last software update in 90% of farming systems was years ago, and most farms don’t have a software patching or updating policy.
Lack of data backup leaves a business particularly vulnerable in a security breach and can also be a serious problem in case of computer or server failure, or a virus, for example.
People also represent a cyber security risk. Lenient approaches to who has access to on-farm systems, such as sharing passwords, using a single login for all users or not removing system access from employees who no longer work for the business can leave a business vulnerable.
As well, a lack of awareness amongst farmers, their families or their employees of scams like phishing emails, where fake messages encourage users to click on potentially damaging links or share information, is also a challenge. It used to be easy to pick out a phishing email through a strange sender address, poor grammar or content that didn’t make sense. Now, cyber criminals are getting more and more sophisticated, such as sending a clear, concise message to the HR department from an email address that is incredibly close to an employee email address and advising of an address or bank account change with a request to “update the employee records”. If the person reading that email doesn’t notice any inconsistencies or a business or organization doesn’t have a multi-step authentication policy, this can easily lead to a non-recoverable financial loss if a payroll deposit goes into an incorrect bank account, for example.
There is no such thing as 100% security, but with cyber criminals looking for weak or vulnerable targets, experts suggest taking steps to minimize risk as much as possible. A few simple steps include:
– Making a checklist of all your current technology and ensuring that you’re using current software versions and systems.
– Establishing basic rules for your team to recognize where threats come from and what to do–or not do. Free online videos are available to help with training.
– Ensuring new systems or devices are set up properly and asking suppliers what security the devices have and whether data is encrypted.
– Not sharing passwords, making sure passwords are strong and updating login credentials when an employee leaves the business.
– Backing up data and installing valid anti-virus software, firewalls and malware detection systems that are kept up to date.
Ultimately, we need to think about cybersecurity on the farm like we do biosecurity – an investment into a best practice that, while not foolproof, will go a long way to minimizing or even avoiding risk.
Yes, it can be tedious and there is some cost involved, but every day, week or year that we protect our businesses and prevent problems is invaluable.
