Cyberattacks are one of those nightmare scenarios that you might think will never happen to your company. You may say to yourself, “Who wants to hack a lawn care business?” Unfortunately, there are plenty of cybercriminals who want to do just that. In the early days, cybercriminals were focused on larger companies because you had to put a lot of effort into attacking a company.
“Now times have shifted, you can automate so many of the attacks and you don’t need to invest any time,” says Michael Mayberry, CTO for Level Green Landscaping, based in Upper Marlboro, Maryland. “You can just hit a button and it will basically start looking for vulnerabilities across the internet.”
Adam Scheinberg, VP of information technology at Massey Services, based in Orlando, Florida, adds that scammers’ best targets are small to medium -sized businesses. Landscape companies have more assets and access to valuable data than your average PC user but lower defenses than larger companies.
“Because so much of what is really important to our business is data and stored digitally if that gets encrypted or lost or deleted in any way, shape or form, it has huge ripple effects into everyone’s company,” Mayberry says. “Therefore, that’s what attackers are really going after. You don’t have to have anything ‘valuable’ to steal anymore. Everything that you own is valuable to running your business and if you’ve lost that, it would be devastating.”
Dave Schwetz, director of technology and innovation for Chenmark, says it’s easy to overlook cybersecurity as you’re working to deliver value to your customers. However, without a cybersecurity plan in place, you can quickly run into big trouble or deal with constant distractors taking your attention away from your core value proposition.
“It’s easy to say, ‘We’re too busy,’ ‘This won’t happen to me or can’t happen to me,’ or ‘We’ll get to it,’” Schwetz says.
Mayberry adds that obscurity does not equal security. Just because something is hidden doesn’t mean it’s secure. He says it also ignores the possibility of internal cybersecurity threats.
“If someone is getting ready to walk away in the green industry, pricing and your contact list are pretty much everything,” Mayberry says. “So, if someone can walk away with that, they’re walking away with your entire business. So, what are you doing to protect that and to make sure that people can’t do that?”
Don’t let the mistaken belief that cybersecurity is too hard to implement be the reason your business is vulnerable.
“No company is too large or too small to think about security,” Scheinberg says.
Common Threats
There is no doubt cyberattacks are becoming more common. Mayberry says cybersecurity is always reactive because cybercriminals are constantly finding new ways to break through.
“Cyberattacks have increased steadily since 1998, with more reports in 2021 than in all of 2019 and 2020 combined,” Scheinberg says. “Some firms, such as Crowdstrike, have measured a 154 percent increase in attacks year-over-year. It’s really not a question of ‘if’ it will happen, but rather ‘when’ it will happen.”
Cyberattacks tend to focus on the confidentiality, availability and/or integrity of your systems. They can compromise customer data, prevent you from accessing the technology needed to run your business or seriously harm your company’s reputation.
“It can be awfully scary if your company’s systems are breached,” Scheinberg says. “For starters, you could lose access to your field service systems, inventory, mobile devices, credit cards, or bank accounts. Indirectly, you could compromise your customers’ identities, credit card numbers, or personal information. Ultimately, you could then end up entangled with law enforcement. Often this means notifying customers that personal information had not been protected…which, if not done properly, could result in lawsuits.”
Ransomware is one of the most common cyberattacks you can face where your data is encrypted, and the hacker refuses to unlock it unless the ransom is paid. Scheinberg says this ransom could be anywhere from several thousand, hundreds of thousands or even millions of dollars.
“If you are struck by a ransomware event and have to pay to decrypt your files, you may get your data back,” Scheinberg says. “But you can expect that data to be sold and resold on the dark web with all valuable information exfiltrated from your computer or your network. Don’t be fooled into thinking the damage is done once you’re hit and you recover.”
Steps to Improve Cybersecurity
Mayberry says the majority of the time ransomware attacks are preventable if you invest the time in training your teams on what to look for.
“Technology is just as much of a tool as a weed eater is for our business anymore,” Mayberry says. “We use it just as often. So why are we not taking the time to train our people on how to properly and safely use that tool like we do with the power equipment that we use?”
Schwetz says that 82 percent of all data compromises had a human component to them, which is why it is so critical to take the time to make sure your team has ongoing cybersecurity training.
“First and foremost, be the example if it’s important to you, if it’s important to the ownership, then it’s going to be important to the staff,” Schwetz says.
Mayberry says he often shares cyberattack news stories with the Level Green team to highlight the importance of cybersecurity. He tries to educate staff on the proper way to handle their personal accounts as well.
“Especially for small companies, there’s too much mixture of personal and business life and devices and connected accounts,” Mayberry says. “So, if people are not being safe in their personal lives then they’re probably not being safe in their work lives as well.”
Scheinberg suggests using your weekly training to also discuss technology and review a small component of responsible tech behavior.
“Don’t allow anyone to fall back on ‘I’m not a computer person,’” Sheinberg says. “We live in a digital world. In 2022, good digital hygiene is table stakes for a business interested in retaining customers.”
Conducting a risk analysis or engaging a partner can help you audit your current practices and determine specifically where your company can do better.
Another tactic you can implement to improve your cybersecurity is to invest in a spam filter that flags suspicious emails and enable multifactor authentication. Schwetz says another easy win is utilizing a password manager.
“There’s a rare intersection of things that make life easier and things that make life more secure and in this particular incidence, using a password manager falls into that rare intersection,” Schwetz says. “It will encrypt all your passwords for you and fill them in as you go to different websites. It’s safe because of the way that it’s encrypted.”
Scheinberg says one common misconception is that a strong, complex password has a lowercase letter, uppercase letter, number and unique character.“
As computers become more powerful, we’re learning that people are not very good at inventing passwords that are difficult for computers to guess,” Scheinberg says. “The truth is that a longer password – also known as a passphrase – is better than a short but varied password.”
Mayberry also advises moving to cloud platforms as the responsibility falls on these third-party platforms to provide the protections you need.
“My suggestion is to start small and keep adding,” Mayberry says. “Don’t think that once you add email security you’re done, because you’re not.”
Advice for Others
Mayberry strongly encourages having someone on staff who is focused on technology, as cybersecurity cannot be a side task for an employee. It is a cat-and-mouse game where tactics are ever-changing. Also, make sure you are budgeting for cybersecurity.
“These things add up and they tend to compound especially over time,” Schwetz says. “When choosing to prioritize your efforts and your time, make sure you fully understand and realize the downsides of if you ignore or deprioritize cybersecurity.”
Schwetz stresses you need to practice restoring your backup files before there is a situation where data has been lost. He says you should also ensure that your cybersecurity plan is evolving with the nature of your business.
“Regardless of industry or size, if you deal with customers, you have a responsibility to be good stewards of their information,” Scheinberg says. “Learn more. Partner with professionals. Raise the bar and let your team see your commitment to security and best practices.”
This article was published in the Sept/Oct issue of the magazine. To read more stories from The Edge magazine, click here to subscribe to the digital edition.
