In 2018, researchers were driving around construction sites testing out their new code. In their office, they had highjacked a miniature crane. Now they were testing their code out on real ones.
Armed with laptops powered by their car’s battery, some cheap radio hardware, and their scripts, they were able to take over cranes at consenting construction sites. Over the course of a few weeks, they became professional crane spotters and asked permission to test their code at various projects.
In the 14 sites they visited, the code worked every time. Even more alarming was the code’s ability to “sniff” radio traffic to determine hackable heavy machinery. The vulnerability went beyond cranes. It could exploit excavators, scrapers, and other machinery.
Something as harmless as radio controllers posed a catastrophic risk to these construction companies. It begs the question, what innocent component of your organization poses a similar cybersecurity risk and how can you manage it?
Where would it hurt?
While you may not have heavy construction equipment to derail your operations, consider the implications of a cybersecurity breach to your organization. Start with questions that focus on the implications of business disruption:
- Will your operations come to a complete stop?
- What critical business processes like paying vendors and employees would be affected?
- How would a breach affect future revenue (delayed estimates, shipments, etc.)?
Additionally, what financial loss would you incur from a major breach or disruption? Most people think about the cost of remedying the problem, but it goes beyond that. Consider things like:
- Will you have critical funds to keep operations going or get them back to normal?
- Will you miss out on future revenue?
- Could you face significant regulatory/compliance penalties or fees?
Finally, who will not work with you as a result of the breach or disruption? The reputational cost may end up costing you more than you expect. Consider questions like:
- Will you lose current projects?
- What will happen to your ability bid on certain projects or work with critical vendors or prospects?
- Perhaps most importantly, what happens if you lose critical talent and struggle to recruit new talent?
What are the threats?
As we saw in the opening story, cybersecurity threats are everywhere. But today, there are three main concerns we encourage our clients to focus on managing.
Ransomware
According to the National Institute of Stands and Technology (NIST), ransomware is a malicious attachment where attackers encrypt critical data and demand a monetary payment to unencrypt and restore access to the data. During the spring of 2020, there were 20,000 – 30,000 attacks per day in the United States. In 2019, data was successfully encrypted in 73% of ransomware attacks and one-in-three targets paid the ransom.
Social engineering
NIST defines social engineering as a general term for attackers trying to trick people into revealing sensitive information or performing certain actions that appear benign but are malicious. Phishing emails tend to be the most prominent entry point. A phishing email is an email that appears legitimate but encourages the user to take an action that compromises their computer or reveals sensitive information. In 2020, a single phishing attack resulted in an average loss of $1.6 million.
Internet of Things (IoT)
According to Gartner, IoT is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment. Items like connected printers, timers, thermostats, etc. can all help improve productivity and reduce costs. Statista reports there are currently 8.74 billion IoT devices worldwide and that figure is expected to triple to more than 25 billion by 2030 – all of which can be exploited when improperly managed.
What can you do?
In the opening crane scenario, the radio controller vendor fixed the vulnerability. To effectively manage your risk for each of the threats above, we suggest taking a three-pronged approach: people, processes, and tools.
Consider these questions for each area:
People
- Have we trained staff on cybersecurity best practices related to ransomware and phishing attacks?
- Does our staff understand email security best practices? Are we sending information through emails or websites without fully recognizing the risks?
- Are we testing staff with simulated attacks/emails?
Processes
- Do we know what we need to protect/backup and are we testing our protection and backup processes?
- What is our response plan? Are we testing it? How long does it allow us to operate at partial or full capacity until the threat is neutralized?
- Are our IoT devices adding enough value to justify their risk?
Tools
- Are we using anti-virus/anti-malware tools? Does our email provider offer anti-phishing features?
- Are our IoT devices on a separate network from critical information infrastructure? Are we installing patches and updates to minimize their vulnerabilities?
- Are we automating the installation of those patches and updates?
If you find yourself unable to understand or answer the questions, you need to work with your IT team to better understand the risks your organization faces.
In addition, consider taking a gap assessment to determine where your cybersecurity practices are lacking. We suggest our Basic Cybersecurity Hygiene Survey. Click the button below if you would like to take it.
In summary
To better manage your cybersecurity risk, understand three critical questions:
- Where would it hurt?
- What are the threats?
- What can we do?
Once you answer those three questions for your situation, begin managing your risk by focusing on people, processes, and tools. You will need to pull in your HR, operations, and IT teams to help manage the risk. After all, information risk is business risk.
If you would like to discuss your situation or your cyber hygiene results, contact one of our professionals using their information below.
Senior Vice President
Assurance Services
Aron Dunn devotes a significant part of his practice to serving agribusiness clients and leads AGH’s agribusiness team. During more than 20 years helping ag-related clients build and preserve wealth, Aron's experience includes elevator operations, grain mills, renewable fuels, food processing entities, and cattle feeding operations. He has expertise in grain inventory existence, grain inventory valuation, hedging programs, grain-in-transit programs, grain basis and other highly specialized aspects of agribusiness. In addition, he has special-project background in mergers and acquisitions and refinancing.
Aron is a certified public accountant and a member of both the American Institute of Certified Public Accountants and the Kansas Society of Certified Public Accountants (KSCPA). At one point, he served as the youngest-ever KSCPA chair, long time former chair of the KSCPA’s Auditing and Accounting task force and the Peer Review Process Improvement Task Force, and is a past president of the Wichita Chapter of the KSCPA. He is a former member of AICPA's Accounting & Review Services Committee among other AICPA committees and task forces.
Senior Vice President
Technology Services
Brian joined AGH in 1992. He leads the firm’s technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.
Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and the Association for Supply Chain Management (ASCM). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and Certified in Production and Inventory Management (CPIM).
Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned Master of Accountancy and Bachelor of Business Administration degrees.