Shared Publication

of criminals are trying to execute. The reason for that is the likelihood of paying a ransom. So, if you attack an industry that is critical to the safety and life of a society, it’s more critical to pay that ransom in a lot of cases, right? There is access and vulnerability and impact. Where opportunity lies, they will exploit that.” Decreasing Risk Starts at the Top While no system is foolproof, there are basic measures all companies can take to limit exposure to cyber threats. First, a key aspect is understanding that cybersecurity cannot be seen as just an information technology (IT) problem. It is partly an organizational culture problem. Retired Colonial John Hoffman is a senior research fellow with the Food Protection and Defense Institute (FPDI) at the University of Minnesota. FPDI researches and identifies vulnerabilities of the global food system and works with stakeholders, both public and private, to educate and train them on assuring product integrity, supply chain resiliency, and brand protection. “We don’t go in and work on your network or your cloud,” Hoffman explained. “We focus on changing the culture of the company. Changing the mindset of management all the way down to OT operational technology workers on the production floor. We educate management and teach them to set the example and change the posture of the company.” Most attacks happen at the OT, not management, level, according to Hoffman. “Sometimes they might get into payroll or something, but it’s usually on the processing floor from operational techs,” he said. “Typically, risk comes from human factors—somebody clicked on a link or opened an email they shouldn’t have. We want to get people to think about cybersecurity the same way they think about HACCP hazard analysis and critical control point—identify the hazards, critical control points, etc. That’s also why employees at all levels need to be trained, so they understand how to talk to the IT folks about what they need to protect the company.” For instance, many companies use industrial control systems (ICS) that have outdated software and operating systems or programs with custom code written before cybersecurity was a problem. A white paper written by FPDI, Adulterating More than Food: The Cyber Risk to Food Processing and Manufacturing, goes into more detail about its research on ICS vulnerabilities. It found it was very common to see companies using systems that (a) cannot be updated, and (b) are connected to the company’s entire network for convenience. Suppose a hacker finds a device on the production floor, like a water pressure valve or a security camera that is connected to the company-wide network and not protected sufficiently. That can give the hacker a foothold into the company’s system, which they can use to escalate privileges and ultimately encrypt the company’s data to hold it hostage for ransom. It is quite possible the IT department was not aware the connected water valve existed, which is a prime example of why IT and OT personnel must work together more closely. Business email compromise is another cyber threat that everyone in the organization with access to email must be trained to avoid. Even though most employees think they know how to avoid an email scam, hackers are getting better at tricking people. Following is an example. A hacker gets into an employee’s email inbox undetected through phishing or compromising log-in credentials. This particular bad actor sets a rule for the inbox to forward all messages to another email that he or she controls, then sits back and monitors the communications coming through that inbox until an opportunity arises. Now say this employee sends an invoice to a vendor. The hacker can take over the email, still undetected, and send instructions from the legitimate email address to the vendor asking payment to be sent to a new bank account. The sent email is hidden from the employee. The employee never saw that email, the vendor had no reason to suspect a hacker had taken over the account because the email address is the same that has always been used, and now the money is gone. The fraud is only discovered later when the employee contacts the vendor about a missed payment. If the vendor’s employee had been made aware of this type of threat, they could have made one phone call to verify the change of banking information and stopped this attack. Continued on page 16 www.rendermagazine.com Render AAuugguusstt 22002211 15 /www.rendermagazine.com