You don’t need to be a Fortune 500 company to be a target for cybercriminals. You just need to be profitable enough that they think you can pay.
“They don’t actually want to bankrupt the company; they want to be able to be paid, but it’s going to really hurt,” says Patrick Curtin, director of technical sales at Field Effect, a cybersecurity company for businesses. “If people aren’t properly set up to withstand that kind of attack, and they don’t have good backups, then they might feel like they have no choice but to pay up.”
As more landscape companies move to implement technology in their field operations with smartphones and tablets to boost efficiency, it also increases the risk of cyberattacks unless the proper safeguards are in place.
“It’s actually never been worse than it is today,” Curtin says. “That’s not fear mongering; it’s just the way it is. The barrier to entry to cybercrime has never been lower. Anyone can go online today, and if they’re willing to spend a few $100 a month, they can get access to incredibly sophisticated attack tools.”
The Threats
Cyberthreats aren’t just a concern for office workers anymore. The risk is often the device in a crew leader’s pocket or a tablet sitting in the truck. Unsecured mobile devices can be an easy entry point for attackers.
“As more organizations rely on tablets and smartphones for field operations, one of the most significant cybersecurity risks is the growing number of remote users and devices that remain constantly connected to the internet,” says Greg Pepper, security architect and office of the CTO at Check Point Software, a cybersecurity solutions company that helps protect corporate enterprises and governments. “This ‘always on’ connectivity exposes both users and endpoints to a steady stream of threats, including phishing attacks, drive-by downloads that deliver ransomware, and other forms of malware.”
Everyday actions such as opening a malicious email, visiting a compromised website or installing seemingly legitimate applications can all contain hidden malware. Pepper says malware on mobile and tablet devices can be crippling to an organization.
“Mobile devices have not just sensitive information, but threat actors can silently activate the camera/microphone to listen and see what’s currently happening,” Pepper says. “Hackers can tap into the GPS to determine locations or even use the compromised device to launch further attacks on other users and devices.”
Another risk is when crews choose to tap into nearby public Wi-Fi, whether it’s on a commercial property or a nearby coffee shop between jobs, as hackers can create rogue hotspots to impersonate the real hotspot.
“Once the users join the fake Wi-Fi hotspot, it’s possible the threat actors could try to capture traffic, inject malicious payloads or even perform SSL interception where they can look inside of encrypted traffic,” Pepper says.
Identity attacks are the most common threat. This is where cybercriminals try to trick a user into completing a certain action, such as entering their password.
“There are a few variants of that that don’t involve a password,” Curtin says. “Sometimes they’ll bring up a CAPTCHA screen and say you need to enter this really long, convoluted alphanumeric code into that CAPTCHA screen, and that’s the new variant, but they’re always trying to trick you into doing something.”
Pepper says that phishing through emails and smishing via texts continue to have the most volume and effectiveness in attacks.
“Threat actors can craft custom messages that look legitimate,” Pepper says. “End users, thinking they are expecting a package, an offer from a vendor or a note from a friend or colleague, are likely to get duped and click on a malicious link. This continues to be a major initial source of infection and compromise for organizations large and small.”
Once a threat actor has a user’s credentials, they can then start a ransomware attack or use that account to send out fake invoices or change banking information.
“They’re going to try and establish persistence because their first foothold is pretty weak,” Curtin says. “They’re going to try and escalate their privileges so they can do more. They become system administrators and then spread. They’re going to look for data. Steal data, send the data out, then they’ll encrypt systems.”
When a ransomware attack occurs, Curtin says without good backups, a company will lose access to the systems they need to run the day-to-day aspects of the business. Even after paying the ransom, there’s no guarantee the cybercriminal will provide a decryption key that actually works.
“There’s some research showing that only around half of the companies that pay the ransom actually will get their data back,” Curtin says. “The best thing is to avoid it in the first place.”
Building Resilience
While cyberthreats are real, the good news is that your organization is not helpless against them.
Curtin says the key to avoiding debilitating cyberattacks is building defense in depth and resilience.
“We’re not aiming for perfection,” Curtin says. “Perfection is impossible. Anyone who tells you that they’re just blowing smoke. It’s all about building layers so that when something does go wrong, it’s not going to be the end of the business.”
When a company has cybersecurity resilience, if an individual does fall for a phishing email and enters their credentials somewhere, the attack is contained. Curtin says that resilience is established through your people, processes and technology.
The first step is increasing awareness with your field staff who are using mobile devices to clock in and access job details on a daily basis, so they know what threats are out there and how to identify them. Curtin encourages explaining the why behind your cybertraining, which can help ensure buy-in from team members.
“When a cybercrime happens, it can be really bad for the business, and it can mean we’re not getting work,” Curtin says. “It can mean we’re not paying you. So I would really go to principles like that, it’s about business health. All good employees should hope that their business is doing well and they’re contributing to that, and part of that contribution is being safe online.”
Curtin says it’s also important that team members know to speak up if they were tricked by an identity attack.
“If I did something, say something, ‘I’ve made a mistake here,’” Curtin says. “‘My device is acting weirdly. Can someone look at this? I may have made a mistake.’ The business shouldn’t be looking to punish that person. They should actually be really glad you brought that forward so they can look into it.”
It’s best to treat cybersecurity just like any other safety training rather than a niche IT concern. Keep your messaging simple and practical so employees know how to handle these situations.
Pepper says a good rule of thumb to share is if you have to think about whether an email or text is legitimate or malicious, you’ve probably already answered your own question.
“It’s best not to click on a link and confirm from the sender if this was a valid email, attachment, or text message rather than clicking blindly on the links only to find out it’s malicious,” Pepper says. “It only takes a moment to verify the legitimacy and authenticity of the digital content before opening unknown links, emails, and attachments.”
Non-Negotiables for Field Devices
There’s no one silver bullet to protect your field devices from cyberattacks. Rather, it comes down to following a number of different processes and practices.
One basic cyberhygiene practice is the use of multifactor authentication and complex passwords.
“Password managers are really, really good, so that will allow for very long passwords that people don’t have to remember, and they just have to use their password manager app on their device that takes care of it,” Curtin says.
Curtin adds that reusing the same password can also be a major problem, as cybercriminals can then access all your accounts.
Pepper recommends protecting sensitive customer, partner, and employee data on mobile phones and tablet devices with an enterprise-encrypted portion of storage.
“This allows for business-related email, files, and data to be isolated in a secured partition on the phone or tablet,” Pepper says.
Another non-negotiable is regularly patching and updating your field devices. Curtin says that cybercriminals are often looking for vulnerable devices that are running old, unpatched software. He says automatic updates are an absolute necessity.
Curtin encourages landscape companies to have processes in place for when an employee leaves the organization, so they don’t retain access to their accounts. Pepper adds that in instances of lost or stolen phones or tablets, companies should utilize enterprise tools that allow them to remotely wipe data off these devices.
Advice for Others
Pepper stresses that whether you have 10 or 1,000 employees, you need to secure all your devices, especially those that are outside of the office, where networks, environments and usage are harder to control.
“Laptops, desktops, phones, and tablets can all be targets for cyberattacks,” Pepper says. “Any one of these devices, when compromised, can spread from one device to any and all devices connected to the networks.”
Curtin adds that prevention is far cheaper than recovery. Even if you have offline backups and cybersecurity insurance, rebuilding is a costly and painful process.
“Cybersecurity insurance is good to cushion the blow,” Curtin says. “They’re going to help you with some of the costs, but one of the things they don’t normally do is help you with the lost revenue and reputation.”
Additionally, having the right cybersecurity controls in place is now necessary to even have a cybersecurity insurance policy issued.
“One of the things we’re seeing more and more is they’re requiring 24/7 coverage,” Curtin says. “If you have an incident and you submit a claim, they’re going to ask to see evidence that you were doing what you said you were going to do, and if you aren’t doing that, then they’re not going to honor the claim.”
Pepper says it’s imperative that companies read the fine print before commencing a new cybersecurity insurance policy and understand what requirements and due diligence are mandated on their end to maintain compliance with the insurance policy itself.
Curtin recommends having a third party conduct a cybersecurity assessment to determine where your company needs to improve.
“Ask yourself, if someone were to employ an identity attack against us today, how are we going to spot that? Are we going to spot that?” Curtin says. “Then you can get into harder questions, like, ‘How do I know my vulnerability management program is working?’ If you don’t have one, you need one. And ‘how am I going to detect the stealthiest attacks where they’re going to log in as you and use your own tools against you?’ If you’ve got good answers for all of that, you’re in a good space. If not, there are things you’re going to need to focus on.”
This article was published in the June/July/August issue of the magazine. To read more stories from The Edge magazine, click here to subscribe to the digital edition.
