Cybersecurity breaches are almost inevitable, said Jeremy Cherny, president and founder of Tobin Solutions. A breach may be major or minor, but either way, producers should be aware of the security process to protect themselves as best as they can.
Security isn’t just about having the right kind of cybersecurity products, like a firewall, in place, Cherny said. It’s also about knowing the best practices to address things that software can’t do by itself.
Cherny likened the process to having a lock on a door: a lock itself can’t guarantee security; turning the lock with a key and jiggling the doorknob is what gives assurance that the product in place is serving its function.
For data security, producers should have a security assessment done, something they can try to undertake themselves or work with an IT professional on, to understand what data they’re trying to protect and find any risks or blind spots with their system, Cherny said during a recent Professional Dairy Producers of Wisconsin Dairy Signal webinar.
Each producer will have to determine for themselves their plan for dealing with a cybersecurity incident and restoring the data they need to function. Producers should have answers to topics such as how long they’re willing or able to be down in the event of an incident, how often they’re backing up data, how long they’re storing backed up data and how work will proceed in the interim between when their system goes down and when things are restored, Cherny said.
Producers should check to see if they have cyber liability insurance in the event that something happens, and they should discuss with their insurance agent what kind of coverage they need, Cherny said.
“This might be the only thing that makes you whole,” he said.
Data should be backed up in at least two locations, providing for a total of at least three copies, Cherny said. One dataset should be backed up offsite, and one dataset should be backed up completely offline, where it is not connected in any way that someone else could potentially get access to it.
Many scams rely on social engineering to use human nature against the person being scammed, Cherny said. A scammer or hacker may use fear or urgency or pretend to be a trusted person in order to take advantage of someone.
When it comes to requests for payment online, Cherny said those should always be verified. A person should call whoever is requesting the payment or any change directly and verify that the details are correct before proceeding with making a payment.
Repeated use of the same password isn’t advised, and Cherny strongly recommended the use of a password manager, such as LastPass, Dashlane or 1Password. A password manager will generate and organize strong passwords and provides a secure way to share passwords, for example, to family or business partners.
Cherny also encouraged use of two-factor or multi-factor authentication for accounts, which adds another layer of security to an account log-in. The second layer of authentication (the password being the first layer) can come in several forms, whether it’s a verifying text to a cellphone, a phone app or a physical security key. Even if a hacker has access to a username and password, having a second layer of authentication means that they can’t log in without physical access to whatever secondary mode of security is being used.
To check if an email account has been part of a data breach, Cherny suggested people use the website haveibeenpwned.com (“pwned” is a technical reference). Some data breaches aren’t as problematic as others, but if an account with a password turns up in the results, Cherny said to make sure to change that password, and if the same password was used anywhere else, be sure to change the password wherever else it is used, too.
Security patches to fix issues found in programs or software are common and are issued frequently, but producers need to make sure that they have those patches applied once they’re made available, Cherny said.
If a program or software isn’t needed and isn’t used, it should be removed to minimize the number of potential patches to keep track of and the number of security issues that could be exploited, Cherny said.
Cherny stressed that anyone who uses a computer needs to be aware of cybersecurity practices. Training should be provided to everyone in an organization so that everyone knows what the business’s cybersecurity protocols are, and producers may even want to take care to learn what cybersecurity practices their business partners have in place. Producers should also be careful in their personal use because an attack that starts in a personal system may have ties that spill over into the business, Cherny said.
When it comes to providing access to a business’s system, every user should only have access to the bare minimum of what they need to perform their jobs and duties, Cherny said.
Full administrator privileges should rarely be given or used, Cherny said. Only as an administrator can someone install or modify software and configurations. Limiting who can use those privileges can help prevent accidental or improper use of them.
“It not about trust,” Cherny said. “It’s really just about good business practices.”