When AmericanHort approved our idea for a session on cybersecurity at Cultivate’18, I knew it could shine a light on an unseen threat to the industry. As a cloud-based software vendor, we are well aware of the risks when your business is constantly connected to the internet.
Little did I know I would end up being Exhibit A for my own lecture.
I was sitting in Brothers Bar & Grill in Columbus the day before Cultivate was to begin when I was nearly the victim of a cyberscam. This was two days before I was to present “3 Cyberthreats that will Destroy Your Business” at the conference.
I knew I had to share this story with the people who attended the session. Would the audience think I was making this up for the sake of drama? Who would believe this coincidence?
I was truly concerned because the last thing I wanted the audience to think was that I was being melodramatic about cybersecurity. This was not a matter of raising the alarm just for the sake of it.
The monster is out there, and people in the horticulture industry need to be fully aware of the risks.
The scam email added more relevance to my topic: There is more to cybersecurity than having anti-virus protection. It was a chance to reinforce the notion that education is far more important.
Cyberthreats Cost Trillions of Dollars
Huge cyberattacks have made the news over the past few years, many of which affected billions of people directly or indirectly. There was the Target credit card breach, the Equifax data breach, and every Yahoo! account was compromised, just to name a few.
When you just look at these three cases, the numbers are mind-boggling: The Yahoo! breach affected all of its 3 billion accounts. Equifax’s breach impacted 146 million U.S. customers. The Target breach disrupted 40 million customers.
While these statistics are shocking, they were not nearly as bad as the overall numbers recently projected by the 2019 Cisco/Cybersecurity Ventures Almanac:
• Cybercrime damage costs to hit $6 trillion annually by 2021
• By 2022, 6 billion people will be connected to the internet and exposed to cybersecurity attacks
• Global ransomware damage costs alone were predicted to exceed $5 billion in 2017
• Unfilled cybersecurity jobs are expected to triple by 2021
These statistics show how easy it has become to pass through internet security. Cybercrime is no longer the sole domain of hackers. Social engineering — the psychological manipulation of people into taking actions or divulging confidential information willingly or inviting the criminal past the security itself — is now the preferred method.
According to the Advanced Social Engineering and Vulnerability Assessment Framework, only 3% of malware tries to exploit software or hardware. The other 97% involves social engineering.
Take Time to Educate Your Whole Team on Cybersecurity
I had three examples of local organizations affected by cybercrime in my presentation. All three involved social engineering, and made for great examples of why education is so important to stopping cybercrime.
The first was Mecklenburg County, NC, where Charlotte is located. One employee opened a phishing email. (Phishing uses seemingly legitimate communication to trick a target into giving out private information.) The email was an invitation for the cybercriminal to bypass the county’s security and gain access to its IT systems.
Once in, the criminal dropped ransomware and closed down entire department systems, like human resources, the tax collector, and the Register of Deeds offices. When the county refused to pay, the hackers tried a second time to no avail. Mecklenburg County was able to recover itself, but it took a full 28 days for its IT department to get it back to normal.
Another attack happened at my church, which was hit with a ransomware attack through a phishing email. The cybercriminal encrypted a folder with sensitive information on the server. Without the IT resources to recover the folder on our own, we paid the ransom.
The other example affected one of Practical Software Solutions’ customers. It was a hybrid attack: The cybercriminal hacked into that company’s email server and found out when the company’s owner was taking vacation. When he was gone, the criminals sent an email from the owner’s account to a secretary, saying he was in trouble. Before it was found out, the secretary wired tens of thousands of dollars to an offshore account.
Four Cautions to Prevent Phishing
These attacks could have been prevented by educating anyone who was connected to these organizations’ servers, whether they only use email or work inside the server every day. Phishing can be thwarted by common sense:
• No legitimate company will ever request your personal information through email, whether it’s your bank, your credit card company, or the government.
• Be suspicious of any email asking you to do something out of the ordinary.
• Check the email sender’s domain (what follows the @ sign in the address) to see if it matches the sender’s real web page domain.
• When in doubt, don’t click on any link from a sender you don’t recognize or one that seems fishy.
As for the email hacking example that turned into a money-wiring scam, create a code word (that is not shared digitally) for anyone with access to company bank accounts for any transaction over a certain dollar amount.
After receiving the email I did at Cultivate’18, I can see how even the best educated people can mistakenly interact with a phishing attempt. Think about it: I was at a dinner, relaxing and not giving my full attention to the emails on my phone. If cybersecurity hadn’t been on my mind, would I have taken as much care as I did in that moment?
Mistakes can happen, so it’s good to know what to do if you think you’ve been the victim of a cybercrime. You can contact the FBI Internet Crime Complaint Center or the Federal Trade Commission. Both organizations also have tips on how to prevent and recover from cybercrime.
As we move toward a more connected society, we must be more diligent about what we interact with online. Staying educated on cybercrime is the best ounce of protection to get the pound of cure.