Practices

In Unit 2, let’s look at best practices that contribute to cyber preparedness on the farm - or cyber-hygiene. 

We will begin by going through some basic steps that can help minimize the likelihood of a successful cyberattack. Then we will examine some common agricultural cyberattack scenarios. We will also identify what kinds of support are available to you to enhance your on-farm cybersecurity. 

This unit is all about practices, meaning you’ll move past passively reading the content and actually try implementing it. That’s why this unit concludes with several worksheets - everything from how to create a farm network map to conducting a cyber ‘fire drill’ to producing a cybersecurity policy for your business. Let’s get started!


Basic Steps to Minimize the Likelihood of a Successful Cyberattack


What cybersecurity tools do you currently use?
Anti-malware or antivirus software
Data backups on online/cloud systems (ex: Google Drive, iDrive)
Data backups on hard drives (ex: USB stick)
Unique and complex passwords 
Multi-factor authentication
Physical access controls (ex: important systems or devices in locked rooms or drawers)
VPNs (Virtual Private Networks)
Separate devices for home and business activities
Segregated home and business networks
Block unknown IP addresses
Cybersecurity training for everyone using your farm networks
Reviewed vendors and retailers cybersecurity practices 
Network map of all farm network connected devices
Have cybersecurity policy and procedures
Conduct cybersecurity incident drills
Other

Preventing cyberattack is always more efficient and effective than responding to cyberattack.

In that way, cybersecurity is similar to occupational health and workplace safety. It is easier, cheaper, and more helpful to prevent injuries on the job than it is to heal one. By buying work boots with a good grip, salting outside pavement in the winter, and keeping barn floors free of debris or spills, you can reduce the likelihood of injuries. Physical pain, time away from work and hospital visits cut into your wellbeing, productivity and profitability. 

While incorporating good cyber hygiene practices into our daily operations may seem like another chore, the truth is you are much better off taking that extra moment to back up our data at the end of the week, type in that extra code from the 2-factor authentication system or change our old passwords every few months.  

The good news is that many of the steps that you can take to minimize the likelihood of a cyberattack on your operation are easy to implement and don’t require specialized cybersecurity knowledge. These basic steps go a long way to preventing cyberattack, and all the headache, financial loss, and recovery time associated with it. 

To learn more about the basic steps you can take to prevent cyberattack, expand each section of the list below. Depending on your background knowledge, you may know some of them already.


Anti-malware or antivirus software

Anti-malware, malware scanner, or antivirus tools are software programs that monitor computer systems or networks for known examples of malicious code and attempts to remove, or quarantine, the offending software if it is discovered. 
Most antivirus (AV) products use a pattern recognition, or what’s called a signature matching system, to detect the presence of known malicious code. Some AV products have adopted technologies that can also detect new and unknown malware. These technologies include anomaly detection (i.e. watch for programs which violate specific rules), behavioral detection (i.e. watch for programs that have behaviors that are different from the normal behavior of the system), and heuristic detection (i.e. watch for programs that exhibit actions which are known to be those of confirmed malware).


Remote Data Backup 

Creating a copy of data using an online, or cloud, storage solution (ex: Microsoft OneDrive or Google Drive) is the best insurance against data loss. With a backup, damaged or lost data files can be restored. Backups should be created on a regular basis - ideally every 24 hours. 
Backups can be done manually, but it is easy to forget to run the backup, and it can be labour intensive to gather all the different data together. As a result, automated backup services can be used to run regular backups for you. A common strategy for managing your approach to data backup is the 3-2-1 rule: 
  • You should have three copies of your data - the original and two backups. 
  • You should use two different types of media for the backups such as a cloud storage solution and physical media (e.g. a hard drive).
  • You should NEVER store the three copies of data in one place. It is important to store backups for disaster recovery at an offsite location to insure they are not damaged by the same event that would damage the original data located on-farm or at home. Onsite backups can be used for resolving minor issues such as accidental file deletion or hard drive failure.

When deciding on the backup strategy for your farm, consider what not having the previous days’, weeks’, or months’ data would mean to your operation.

Many agriculture technology tools are delivered using the software-as-a-service model (SaaS) where you pay a monthly subscription to access the software over the internet or via a mobile app.  In this case, your agriculture data will already be stored in the cloud.  This means it is already offsite and managed by your agtech provider. In this case, you can consider making a local copy of the data as one of your backups. Likewise, you should ask your service provider some questions[link to section “Key Questions for Vendors”] about what they do to keep your data secure. 


Complex Passwords

A strong password is made up of numbers, symbols, capital and lowercase letters so that it is hard to crack, based on lists of common passwords, information a cyberattacker may have about you, or ‘brute force’ methods, like running millions of different combinations. Traditionally, it is recommended that strong passwords are at least eight characters long.
Here are two examples of very strong passwords:
  • m#P52s@ap$VdyDL
  • dss&dHGd%l~94nd

Alternatively, some cybersecurity experts recommend joining three unrelated words that you can remember, but are difficult to guess (e.g. pig+airplane+breeze). Passwords built using this approach could be made even stronger by adding numbers and symbols:
  • dogcouchcoffee99!
  •  teecup4elephant! 

Your passwords should never be autosaved on your phone, computer, or browser. And critically you should never use the same password for multiple websites or devices. 

While some cybersecurity experts suggest that your most important passwords should not be stored in an electronic password manager, a secure password manager app such as  BitWarden  or  1password  can help keep track of strong high-security passwords in a world that requires so many of them. Keep in mind that we are not endorsing a particular password manager. Before choosing to use a password manager you should do some research to look at their security track record or discuss the issue with a technology service provider or IT professional.

Another workable alternative to managing the large number of passwords is to keep a notebook with your passwords in a locked drawer or cabinet.  

Finally, make it a habit to change your passwords every 3 months to 6 months


Multi-Factor Authentication

Authentication using two or more different methods can provide increased security during log-ins. You may have come across two-factor authentication in your everyday use of the internet already. For example, have you ever tried to log into your Gmail account from another computer and been prompted to enter a code sent to you by text message? This second form of authentication provides extra security and helps to confirm that it is in fact you trying to access your account. It may feel inconvenient, but it is one of the most effective forms of cybersecurity prevention. 
In general, authentication can be done using a combination of three factors:
Type 1: Something you know such as passwords and PINs 
Type 2: Something you have such as smart cards, a handheld device like a telephone, or OTP (One Time Password) devices
Type 3: Someone you are such as fingerprints or retina scans. This is also known as biometrics


Physical Access Controls 

Physical security measures can be used to detect and deny unauthorized access to an information system or a physical facility. This can be as simple as locking office doors or drawers that contain sensitive farm or personal information. You may also consider using physical access controls to limit access to equipment that are essential to your farming operations. This could be a server cabinet, or the machine room for your barn’s heating and ventilation systems. 


Virtual Private Network (VPN)

A VPN is a communication link between systems, computers or networks that is encrypted in order to provide a secured, private, isolated pathway of communications. Put another way, a VPN provides a secure ‘tunnel’ for your data to move through that is protected from being viewed by your internet service provider (ISP) or anyone else, including cyber-criminals who have inappropriately gained access to your WiFi network. 

For example, if you are using your phone to check on your farm's banking information while out at a coffee shop, you can start your VPN to shield your communications. Some experts even suggest keeping your VPN on at all times, but a good practice is to use this tool to protect your most sensitive information, your most critical systems, or when you’re using unknown networks

Some VPN services are free but many require a paid subscription. Some examples include:  NordVPN ,  Surfshark , or a free one like  Windscribe Free . These are not endorsements of any particular VPN companies, and it’s important to check them and others out thoroughly.


Separate Networks and Devices for Home and Work

Separate networks and devices for work and home is an important way to limit your risk. This can include using separate computers, phones, and even internet packages for your home and business use. Separate networks will greatly reduce the chance that your farm network is attacked if your home network, or a personal device is compromised (and vice versa). This can be particularly important if you have children, or their friends, using your home network for gaming, social media, etc. In fact, your home WiFi can be further segregated into your personal home network and one for guests, with separate passwords. This can be easily set up on most internet routers.


Cybersecurity Training

Providing or requiring cybersecurity training to everyone who access farm devices and networks is an excellent way to reduce your risk. Educating people about cybersecurity threats and good cyber hygiene practices for the farm goes a long way to reducing risk of a cyber incident. 
A business is only as safe as its least trained employee. Training can be very simple or it could involve a series of workshops or a more structured course. The important thing is to identify why cybersecurity is important to your farm business, then use that to start a conversation with key personnel about how to achieve that vision. From there you can begin to learn and take steps together to improve your farm’s cybersecurity readiness.

On the next page we will walk you through a number of practices that you can use to improve your cyber preparedness. This includes questions to ask your technology vendors, creating a network map, developing a cybersecurity policy and running a cyber fire drill.







Next:  📖Putting it into Practice