Advice on basic cyber security steps for farm businesses

Small things can make a big difference in protecting a business and individuals from cyberattacks, says police Det Supt Patrick Milford.

Patrick is director of the South East Cyber Resilience Centre, one of nine regional centres across England and Wales offering information and free advice on cybersecurity to small and micro businesses.

“It’s such an under-reported crime, because if someone gets hacked, they might speak to an IT person to get it sorted but they don’t think about contacting the police or Action Fraud,” says Patrick.

See also: How to safeguard against internal fraud on farms

“Farming is a particularly vulnerable area but people often think they are not at risk or that they would not be of interest to hackers.

“Secondly, people think it’s too complicated  but the basic stuff we’re talking about is easily understandable.

“Small things you can do can make a big difference, such as password security, having a backup, and multi-factor authentication (MFA). That sort of thing can make a big impact for very little effort.

“If you don’t make that effort, its like leaving the window to your internet open. If people are hit they generally don’t want to talk about it, so it doesn’t seem a real threat, but if you have cyberattack, you’ll be dealing with the aftermath for six months.

“Multi-factor authentication massively increases security. As a hacker, I can buy 1,000 emails and their passwords on the dark web for 99c [79p]. If they don’t have MFA, I can set that up for myself and put whatever I like on there,” he says.

Keeping cybercriminals out

A scam email or text message will typically try to convince someone to click a link, which leads to a website that could download viruses onto a computer, or steal passwords and personal information.

If an unexpected message arrives, check with the business using the details you already have for them through previous contact. Do not use the numbers or addresses contained in the suspect message.

Scam emails and messages often imply urgency or are written in a personally friendly style. While they are becoming more sophisticated, they sometimes contain spelling mistakes or poor grammar.

The following measures, which include tips from the National Cyber Security Centre, will make it more difficult for hackers to gain access to devices and data.

• Avoid common, easily guessed passwords and use separate passwords for each device and online account, especially email accounts. Cybercriminals trade stolen username and password combinations, which they try out on accounts around the internet. They also try common, easily guessed passwords randomly, hoping to strike it lucky. If you write down passwords, store them securely, away from your device. Change all manufacturers’ default passwords.
• Use two-factor authentication, also known as multi-factor authentication. This is a free security feature offered by apps and websites and provides an extra layer of protection for online accounts by asking for additional information to check that the person trying to gain access is an authentic user. The second step proof often involves a code being sent to a smartphone, or created by an authenticator app or device.
• Keep farm management software, devices and systems updated with the latest security patches – the easiest way to do this is to set updates to be installed automatically.
• Download antivirus products to protect from malware – essentially a computer virus usually designed to steal or extort money, often by holding data to ransom. Anything that connects to the internet is at risk from malware, which could lock a device or make it unusable; immobilise farm vehicles; steal, delete or encrypt data; interfere with automated systems; or divert confidential farm data into the public domain.
• Activate firewalls on devices to create a buffer between your network and the internet.
• Consider all online accounts: banking, email and social media, but also things like the Rural Payments service, HMRC online services, online shopping and cloud document storage.
• Make regular backups of important data and set reminders for this. Keep these backups physically separate from the computer, for example on a USB storage device, a separate hard drive or computer. Cloud services can also be used to back up files so a fire or theft won’t result in the loss of the original and the backup.
• Consider security on all devices. Measures include password protection or enabling a screenlock password, PIN, fingerprint or face ID, or other authentication for mobile devices. Protect home and/or office computers with encryption, usually built into the operating system and which just needs to be turned on.
• Keep devices safe – most include free, web-based tools that can be enabled to track the location of the device, lock it remotely, erase data remotely and retrieve a backup of data stored on the device.
• Consider using a virtual private network (VPN). This encrypts your internet connection and puts a shield over data, helping to secure online activity.

Tips sourced mainly from National Cyber Security Centre

© Adobe Stock

Specialist advice to reduce risk

Bringing in outside help can identify risks and suggest remedies – for example, moving to a private network and using firewall security where internet access is required.

At data connectivity specialist and internet service provider Spitfire, sales director Dominic Norton points out that the public internet can be bypassed entirely, making devices invisible and unreachable from external threats.

“There has been a big increase in ‘internet of things’ [IoT] devices being targeted, especially as the use of AI and machine learning has increased, leading to more sophisticated attacks,” says Dominic.

“Whether that’s a CCTV camera monitoring equipment, or devices tracking other assets, livestock health and feed monitoring, crop and soil conditions, reporting on energy or solar panel systems, security for access control etc, these are all potential entry points for cyberattacks.

“A lot of the time ‘retail’ type SIMs [mobile phone SIMs] are used [for IoT applications] which have very little in the way of security protection,” says Dominic.

“They should be using IoT SIMs purpose made for the job, better security, and ideally private networks to completely prevent unauthorised access.”