Cybersecurity Best Practices for Energy Marketers
by Nathaniel C. Gravel, CISA, CISM, CRISC, Gray, Gray & Gray
The 4 most common computer hacks and 5 key defenses
With news reports of cyberattacks shutting down everything from fuel pipelines to food distribution, it is not unthinkable that your propane or fuel oil company could become the next victim. Increasingly sophisticated cybercriminals have the technology and resources to attack any organization, of any size, in any location.
Companies of all sizes need to invest in cybersecurity and security awareness training. Smaller companies typically have fewer resources to defend themselves against cyberattacks, and the damage done is often more devastating. Half of all small and medium-size businesses that suffer a cyberattack go out of business within six months.
What is at risk from a cyberattack? That depends largely on the type of attack. At the very least, your business is going to suffer a period of disruption that can range from a nuisance to a complete shutdown. Here are the most common forms of attack.
Phishing or Malicious Email – Nobody is immune from being “spoofed” by an email that looks legitimate but is designed to penetrate your company’s network. That’s why 95% of cyber penetration is made via email. Think you are too smart to be fooled? An estimated 30% of phishing emails are opened. Cyber thieves have become experts at making emails appear to be from a colleague, friend or customer. They may include a link or attachment that looks innocent but plants malicious files into your system that lie dormant for days, weeks, or months before being activated to access data, steal valuable information, or disrupt your communications.
Data Compromise and Exfiltration – If a criminal organization penetrates your network and gains access
to your files, there is extremely high risk that personally identifiable information (PII) will be stolen. PII can range from employee social security numbers, to customer financial data, to supplier bank accounts. The information is exploited to make purchases, open new credit cards, file false tax returns, and other illegal uses. This can be extremely costly for many reasons. In most states, you can be fined thousands of dollars per day, per data file until the breach is resolved. You will be required to formally notify all individuals whose data was potentially accessed and assist them in monitoring their credit reports. Perhaps most costly is the embarrassment your business will suffer through public exposure of the breach, which can permanently damage your reputation.
Ransomware – Although ransomware attacks make for big headlines, the ransoms themselves are seldom huge; the average payment for a small or midsize business is about $130,000. Cybercriminals know they are much more likely to get paid if their demands are affordable, and many businesses quietly pay the price. The real cost of an attack comes in the loss of access to your network and information. How many days can you survive without use of your computers? How long will it take to reconstruct lost data?
Credential Theft and Account Takeover – As we continue to rely on web-based applications and cloud infrastructure to carry out operations and deliver services to customers, we become increasingly susceptible to credential theft and account compromise. Usernames and passwords to web-based applications are stolen daily and used to take over online accounts. With critical business applications like email and accounting systems now residing in the cloud, credential theft and account takeover can have a detrimental impact on your organization’s reputation and financial position.
What can you do to protect your fuel oil or propane company against cyberattacks? Here are five steps to becoming more resilient.
- Gap Assessment – Identify the places and ways a cybercriminal might access your system. An end-to-end review of vulnerabilities, which should include a penetration test, will give you a basis for deciding where you need to shore up your defenses.
- Employee Training – With 95% of intrusions being made through individual error, it is essential to implement a formal training program for all employees. A training “stack” can help better prepare your people to recognize phishing attempts, spoofed emails, and suspicious attachments. Be sure to include refresher training, as threats are constantly changing and becoming more sophisticated.
- Testing – Don’t just assume your systems are secure and employees are following the rules they have learned. Regular vulnerability assessments, penetration testing, and simulated phishing exercises will help identify and close control gaps before attackers can exploit them.
- Patching – If you are still running an older version of any type of software, you should immediately update to the latest version, which should include patches and security updates.
- Layered Security/Defense in Depth – Many companies are still taking an unbalanced approach to defining and implementing their cybersecurity strategy, putting too much confidence in too few security measures. A well-balanced cybersecurity strategy looks beyond simple preventive controls to consider detection and response capabilities. A more comprehensive security strategy generally leads to better investments and an overall improvement in a company’s security posture.
Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm serving the fuel oil and propane industries. He can be reached at email@example.com.