Cybersecurity and Data Management
Industry Insiders Provide Tips to Mitigate Cyberattack Risks
By Nicole Nelson
Michael Foster certainly doesn’t want anyone to panic, but he cannot emphasize enough the importance of taking appropriate, protective steps to avoid the growing threat of cyberattacks.
Widely recognized for his broad range of high-level technological expertise, The Foster Institute IT Best Practices and Cybersecurity Specialist advises organizations in the material handling industry to approach cybersecurity as if they are already under constant attack.
“For added caution and better protection, they should assume that bad actors have already infiltrated their network, and attackers may be quietly dwelling in one or more systems,” Foster cautioned. “I hesitate to share that because it sounds like I am spreading fear, uncertainty and doubt, but they have heard about business associates and other companies experiencing successful attacks.”
Foster succinctly hypothesized the ill effects of a successful attack on other companies involving ransomware with one simple statement: “It stops them from being able to function.”
In the event of a cyberattack, Foster pointed out that the materials handling organization will not only be unable to deliver its intended products and services, but the organization will continue to pay workers that cannot be productive. In addition, recovery will likely be expensive. “Despite the fact that insurance may cover part of the cost, there is a good chance that the claim cannot make up for missed opportunities or late orders, nor protect against damage to reputation,” Foster said.
Furthermore, if insurance is utilized, the insurance policy may not be renewed and another insurer may be difficult to attain. In a nutshell, calamity is constantly lurking from the ever-evolving world of cybercrime. Not only can cyberattacks affect individual organizations, but the governments under which they stand.
“Especially with the war in Ukraine, the U.S. government is warning that there is a heightened threat to all U.S. organizations,” Foster stated. “Good cyber hygiene helps protect our country.”
To better protect all against cyber-related vulnerabilities, Foster first recommended ensuring the fortification of company data.
“One cybersecurity best practice for organizations in the material handling industry is to practice restoring their data from their backups,” Foster said, noting that 50 percent of organizations discover they cannot restore operations if they lose all of their files during an attack.
Another best practice is to stay current on all critical security updates from their operating systems, including Microsoft and Apple. When software or hardware updates are made available, use these to not only patch vulnerabilities but also provide new functionality that may benefit your business.
It is also imperative that materials handling companies update their applications when vendors release security updates as their firewalls and other infrastructure devices need security updates, too.
“Most companies fail to stay current on their updates because it can be a time-consuming task,” Foster said. “Updating never ends as there are new patches all the time.” Additionally, IT professionals are sometimes hesitant to install updates because the update might break existing network infrastructure. “Why would an IT pro want to do something that could cause problems on the network?” Foster said. “Because updates are one of the best ways to protect yourself.”
Foster noted that there are strategies to make the updating process safer and quicker. “One obvious help is to uninstall all applications that are not essential for workers,” Foster suggested. “If the application isn’t installed, it is unnecessary to update it.”
One way attackers infiltrate systems is to take over user accounts by stealing passwords or taking control of the user’s session. The attackers then have all the privileges as the user.
To limit the attackers’ rights when they compromise an account, it is essential to limit user rights to the least access they need to accomplish their work without interruption. “By default, operating systems give users significantly more power than they need, and the added privileges make it easier for attackers to compromise systems,” Foster explained. “IT professionals must intentionally lower the rights and permissions to be only what the users need to help thwart attackers.”
With so many cybersecurity controls, Foster said that it makes sense to glean a certified cybersecurity professional’s advice based upon each organization’s situation. This includes vendor connections.
“If a vendor gets taken out, that interruption to their supply chain could be devastating,” Foster said. “If a customer wires money to a fake account to pay an invoice, and if the charge is large enough, the customer might not be able to afford to pay the invoice again and the MHEDA member might lose a significant amount of income.”
Similarly, if customer or employee information is lost, the MHEDA member may face lawsuits, if not irreparable damage to their reputation.
Foster reminded materials handling organizations to consider the connections of remote workers, which adds a whole new level of risk through the use of Virtual Private Networks (VPNs). While VPNs are designed to keep data private, it only works effectively when both ends of a VPN connection are properly secured. Unfortunately, most organizations do not have both sides protected. “Unless IT knows how to configure the VPN properly, having the VPN makes it easier – not more difficult – for an attacker to break into networks,” Foster cautioned.
In a nutshell, Foster said cyberattacks should be mitigated at all costs. Surprisingly enough, most mitigation methods require no monetary charge.
“With the exception of retaining the services of a certified cybersecurity advisor, most organizations have already purchased everything they need to protect themselves,” Foster said.
That said, Foster said such features must be enabled and configured correctly. Even though the protection is budget-friendly, most of it comes with the cost of time for IT professionals – whether inhouse employees or outsourced IT companies.
“Most IT professionals are so overwhelmed that they are reactive and don’t have time to be proactive,” Foster explained. “Have compassion for your IT pros. Visit with them and find out what you can do to help them be more aggressive in cybersecurity if there is room for improvement.”
Foster recommended focusing attention on the fundamentals. “We frequently see organizations spend a tremendous amount of money on cybersecurity products they don’t need,” Foster said. “Some products are helpful, but it is essential to take care of the basics first.”
Essentially, all organizations should be using a two-step login process called multifactor authentication. Encrypting hard drives on laptops can also help protect an organization from experiencing a data breach if the computer is lost or stolen.
Foster suggested educating system users to make them aware of actions that are risky or helpful in terms of security. However, as a buyer beware, he cautioned the development of a false sense of security upon the implementation of organizational training.
“Training cannot replace protections that must be in place to protect systems if a user makes a mistake,” Foster said. “It is vital to protect against the hundreds of ways an attacker can compromise a system with no user involvement.”
Anoop Kanthan, CEO of omniX labs, said the best avenue is to take a well-rounded, universal approach.
“While information security technology solutions and approaches are available from a point-to-point or asset-to-asset perspective, it really is about tackling this in a more holistic way,” said Kanthan, the cofounder of the machine learning platform, with applications across multiple industries including logistics, for computer vision applications. “That doesn’t necessarily mean spending huge amounts of capital though, as much of this is about good policies, standards, and procedures for your organization.”
In addition to personally identifiable information, payment card industry data (PCI) and their equivalents where applicable, Kanthan highly recommended system and organization control compliance.
“It approaches this challenge from an across-all-parts-of-the-business perspective and allows you to follow a well-trodden path to managing it well as an ongoing concern rather than just a point in time, ‘pass the exam’ mentality”, Kanthan explained. “You will be able to also layer in technology-based solutions in a digestible way to include spending proportionately as you scale in size and complexity.”
Kanthan also suggested material handling companies approach the mitigation process by identifying top-down influences in terms of risk factors.
“Starting with the highest risks is a great way leg into it and not get overwhelmed by the acronyms and jargon,” Kanthan advised. “Start with the basics like credit card information storage and contact details of your customers.”
In addition to improving data hygiene, material handling companies must also be mindful of internal systems, processes and access.
Kanthan said material handling companies need to think long and hard about which systems access is necessary for a role in the organization and is adamant material handling companies implement good access procedures when both on boarding and off boarding staff.
Kanthan suggested utilizing the principle of least privilege, meaning granting only the absolute necessary level of systems access for the employee to fulfil their role.
In protecting technology assets, he estimated 90-plus percent effectiveness in terms of protection by immediately applying patches, firmware and software updates as soon as they are released. In addition, he advocated for using the Cloud to avert potential risk.
“It is probably time to get rid of that server sitting under your desk and migrate your system to the Cloud,” Kanthan advised. “Cloud providers have hundreds of analysts thinking about security 24/7 and are likely doing a much better job that you ever could.” He recommends you complete your Cloud migration by implementing protective cybersecurity measures.
While Kanthan said that cybersecurity and other information security threats will continue to evolve and become ever more sophisticated, he suggests that a cybersecurity mindset begins at home.
“This is more of a cultural adjustment and a ‘way of being’ for the organization,” Kanthan said. “If your leadership team instills a cybersecurity mindset – just like it probably already is doing for workers’ physical safety at your locations – then you are well on your way.”
About the Author
With more than 30 years of experience writing and editing across all trades, Atlanta-based Nicole Nelson especially enjoys penning articles relevant to the current business and political climate.
Tips From the Top
- Most material handling companies will need to perform an annual PCI (Payment Credit Industry) audit. While smaller operations often fall into a self-audit category, it is oftentimes advisable to hire a reputable third party to properly conduct the audit to ensure the PCI Data Security Standard requirements are met.
- Meeting the requirements of PCI not only helps protect your business from credit card theft, but also from attacks like ransomware and viruses.
- One budget-friendly way to get started on a journey to cyber hygiene is to check with your current insurance provider as many carriers offer a cybersecurity module or provide checklists and toolkits for disaster recovery and business continuity. Others offer hands-on simulations and annual check-ins.
- Another idea is to check for reputable free courses, such as those previously offered by digital security provider ESET via its free, comprehensive Cybersecurity Awareness Training.