In the feed and grain business, when we talk about safety we often think of physical safety: fall protection and enclosed space safety for employees; spill protection; safe handling practices for grain and feed products. However, in this world of growing connectivity via the internet, there is a significant and growing need to think of “virtual” security or cyber security. It is pretty hard today to be completely “off the grid.” So what issues are important? How does a feed and grain business protect itself? What are some of the “weak links in the chain” so to speak, and how do we strengthen them? You also maintain a lot of information about your customers, and you have a legal responsibility to keep that data secure. This column will take a look at some of the business and employee issues related to cyber security and risk management as it relates to confidentiality of your customers’ data.
What is cybersecurity?
Most of us are aware of the need to “be careful out there,” as it relates to safety on the internet. The intent of our column is not to scare you or create undue work or effort. However, as Figures 1 indicates (while the data presented stops with 2006 — our research indicates the trends continue) — the prevalence of viruses, internet scams, identity theft and related issues has grown significantly along with our increased use of email, use of Internet financial transactions and social media. The management aspect of this virtual world needs attention just like any other part of your business. Risks have grown and can be appropriately addressed. In particular, we would note the steps for any risk management plan apply here: 1.) Identify the risk, 2.) Analyze the risk (measuring frequency and severity), 3.) Evaluate the risk (examine alternatives), 4.) Treat the risk — put your plan into action, and 5.) Monitor and review how your risk management is going and adapt as appropriate. Below we outline some of the key areas of risk, and discuss some possible strategies with the overarching goal of improving the security and safety of your grain and feed business.
Account passwords may be the easiest method of improving and maintaining your Internet security, yet they may be one of the hardest to implement due to the necessity of keeping track of numerous accounts and long, complicated passwords as mentioned below. Suggestions for handling these challenges include:
1. Use different passwords for different sites.
a. Utilize a password manager. Most of these products integrate with your browser and capture your user name and password when you log into a secure site. The online magazine PC World has a good review of the 2015 products (both free and paid) available at: http://www.pcmag.com/article2/0,2817,2407168,00.asp.
b. It turns out that a number of Internet browsers (Internet Explorer, Google Chrome and Firefox among others) will save your user name/password for you — typically using the “autofill” function. The biggest problem with having your browser save your passwords involves prying eyes. Not only can other users who have access to your computer log in to your accounts and see your actual passwords or credit card details, but so can a thief if your computer, smartphone, or tablet gets lost or stolen. And the same risk applies if you haven’t properly erased your data from your PC when you get rid of it. However, if you are the only user of your PC and are careful, this is a useful function.
2. Utilize strong passwords.
a. The requisite requirements for strong passwords include: upper and lower case letters, numbers and/or symbols, and should not include recognizable words. While you may find it a challenge to create … and remember such a password, some strategies include creating a phrase and then using it backward as your password; or utilizing symbols in your phrase to represent something in the password; or create a phrase and then use the first letter of each word, with a number or symbol thrown in, for example: I love skiing in Aspen in December becomes IlsiAiD15 or something similar.
3.Use 2 factor authentication.
a. Two-factor authentication (also known as 2FA) provides unambiguous identification of a user by means of the combination of two different components. It is based on the premise that an unauthorized user is unlikely to be able to supply both factors required for access. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. A good example from everyday life is the withdrawing of money from a cash machine. Only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, i.e., something that the user knows) allows the transaction to be carried out. There is a growing use of mobile phones for 2FA, so that authentication does not need to be performed using something that the user possesses — the user is sent a one-time valid dynamic password for authentication.
Web browsing/virus protection
As can also be seen in the graph about Web threats, there has been significant growth of malware (short for “malicious software” which is any software used to disrupt computer operation, gather sensitive information, or gain access to a computer system), much of it spread by visiting infected websites. Depending on how technically correct you want to be, computer viruses are a subset of malware — or the two words mean the same thing. Viruses were the dominant form of malware in the 1980s and ’90s, when personal computers were first becoming common. At that time, there was no commonly used umbrella term such as malware, so people called any malicious program a virus. And the word has stuck. Malware can infect your computer by visiting an infect-ed website. Strategies for protection and/or cleanup after a problem is discovered include the following:
1.Install and maintain up-to-date virus protection software (PC Magazine ranks the best antivirus programs at: http://www.pcmag.com/article2/0,2817,2372364,00.asp).
2. Run a program like spybot (see: http://www.safer-networking.org).
This program is donationware — it is free to use, but the author accepts and encourages donations towards further development.
3. Check installed programs and remove any unrecognized software.
4. If you are unsure whether or not you have completely removed the malware, consult an IT professional.
Use of the Internet for shopping and banking for both personal and business use has grown significantly. Convenience has been increased substantially, but there is risk here also. The best way to safely conduct any Internet financial transaction is to ensure that any site where you enter a credit card number or make a financial transaction is a secure website utilizing a “https” address — look for “https” at the beginning of the web address and the padlock symbol in the browser frame. In practice, use of a “https” website ensures that you are communicating precisely with the intended website and that the contents of the communication between you and the site cannot be read or forged by a third party.
Identity theft involves the unauthorized use of your name and personal details to either steal from you as an individual or as a business, or commit a crime in your name or that of your firm. There are a number of symptoms which might indicate identity theft. These include: not receiving bills or other correspondence — suggesting that a thief has given a different address in place of yours; you cannot log into a site using your normal password (indicating a criminal has logged in as you and changed it); denial of credit for no obvious reason; entries on your bank or credit card statement for goods you did not buy.
According to a recent Chicago Tribune article, “With all the news recently about data breaches at major U.S. retailers — Target, Neiman Marcus, Michaels — many consumers might wonder if they should subscribe to an identity theft ‘protection’ service. The short answer is, probably not, if your only concern is a thief fraudulently using your payment card information. Typically, that’s not a big deal, and you won’t lose any money.” The reason for this is that most credit cards protect you from fraudulent use — if you notify them. “Generally, the value of these services is to alert you more quickly,” says Susan Grant, director of con-sumer protection at the Consumer Federation of American. “But no ID theft service can legitimately claim to prevent your information from being stolen or used.” Often you will pay for tasks that you can do yourself for free. Thus, the caveat is to weigh the costs and benefits of such a service.
Phishing (so named as a homophone of “fishing” due to the similarity of using fake bait to catch a victim) is the illegal attempt to acquire sensitive information such as your user name, password or credit card details (usually for malicious reasons) by posing as a trustworthy entity in an electronic communication. Typically a phishing attempt will come in an email with a return email address from someone you know or a legitimate business. Phishing is usually carried out by email spoofing (the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source) or instant messaging, and will often direct you to a fake website whose look and feel are almost identical to the legitimate one.
How do you spot a phishing attempt? There are several clues including: 1.) The message contains a mismatched URL. The URL may appear to be legitimate, but if you hover your mouse over the top of the URL, many email programs (like Outlook) will let you see the actual hyperlinked address. If the hyperlinked address is different from the displayed address — the message is probably malicious. 2.) The URL may contain a misleading domain name. It is the last part of the domain name which is the clue here. A phishing artist will thus try to spoof a legitimate company by using a domain something like: microsoft.softwareupdate.com, which adulterates the DNS (Domain Name System) naming structure, which requires microsoft.com to be at the right side of the Web address. 3.) The message contains poor spelling and grammar. This should be a definitive tip-off that it was not run through a major corporation’s legal department! Other clues include messages asking for personal information, offers which are too good to be true, and actions which you did not initiate.
Backing up your data
One of the biggest safety measures you can take to ensure the integrity of your data and ensure against data loss is to back up your data regularly. Perhaps you have had the excruciating experience of a hard drive crash, or have had some nasty virus corrupt your files. If not, it is definitely an unpleasant experience. However, with careful planning you can avoid data loss, which is the most important concern. Perhaps the easiest method to ensure a hard drive crash does not set you back a couple of years is to install a “ditto drive,” (either an internal or external drive which mirrors your primary hard drive) and then install software which automatically backs up any newly created data every day. (PC Magazine gives 4 ½ stars to Acronis TrueImage and ShadowProtect Desktop in a discussion of “World Backup Day” — check out their review at: http://www.pcmag.com/article2/0,2817,2278661,00.asp.) If you leave your computer on all the time, you just set a time late at night or early in the morning for your computer to do this, so that it does not interfere with your workday. If you don’t leave your computer on all the time, then perhaps you want to have it backed up at lunch time. The benefit of having it done automatically is that you don’t have to constantly remember to do it, which is what gets many of us into trouble.
Another possibility is to use a cloud storage option like OneDrive, Dropbox, or iCloud. Consult your IT professional for the appropriate software to password protect or en-crypt your external storage.
Smartphone and tablets
With much of our IT world going mobile, smartphones and tablets now function as your computer also. All of the discussion above applies to these devices as well. You need to password protect, and install antivirus on smartphones and tablets alike. Many smartphones have built-in security that will allow you to “brick” your phone if you lose it (so-called, as it locks your device, and makes it as useful as a “brick”). This sends a remote signal to completely wipe all data from your phone. Android’s is called “Android Device Manager.” For Apple products, there is an app called “Find My iPhone,” which helps you locate and protect your iPhone, iPad, iPod touch or Mac if it is lost or stolen. The program helps you locate your device, lock and track your device and can remotely erase all of your personal information from the device.
Resources and wrap-up
We came across several comprehensive and useful websites in pulling this column together. They are worth checking out.
The United State Computer Emergency Readiness Team (US-CERT): This resource is put together by the Department of Homeland Security’s US-CERT program: https://www.us-cert.gov/ncas/tips
Get Safe Online: The United Kingdom’s leading source of unbiased, factual and easy-to-understand information on online safety. It is a very comprehensive site, broken down by: Personal: Protecting your computer; protecting yourself; smartphones and tablets; shopping, banking and payments; safeguarding children; social networking. Business: hardware and devices; information security; online safety and security; rules, guidelines and procedures; software and ways you work. Each section has numerous subsections with useful tips and information. Found at: https://www.getsafeonline.org
Management of computer safety/cyber security is an increasingly important part of managing your grain and feed business. It is great and convenient to be connected to the wider world electronically, but being prepared and careful can prevent time-consuming and unfortunate problems.