“We don’t get to choose if we are a target,” Eide Bailly’s Jon Ault on Cybersecurity

During his short course presentation, Jon Ault from Eide Bailly outlined the current cybersecurity landscape. Ault stated that 28% of cyber threats are the result of user action while 72% is the result of external exposure which includes software exploits or a remote access hijack. Vulnerabilities continue to rise at a rapid rate each year. A significant portion of vulnerabilities are the result of failures to update software

Ault explained the ‘Attack Chain’ for bad actors. “It starts with access either through a known exploit or by user action. Normally, the bad actors then spends time doing ‘recon’. They move laterally throughout the organization identifying valuable information which can be exfiltrated, or stolen. This can occur over several weeks or months. At some point, however, the bad actor will encrypt the organization’s data and then monetize their efforts by demanding a ransom.” Ault gave examples of well known attacks like the MGM Resorts cyber attack that hack that cost the company nearly $100 million, despite refusing to pay the ransom.

What can you do to protect yourself?
Ault stated that you need to ‘play offense’ by training and testing yourself and your people. You should test your systems for any obvious vulnerabilities and replace old, out of date systems that may have known vulnerabilities. You also need to ‘play defense’ by keeping your systems current. Software updates are often issued to patch identified vulnerabilities. Use modern ‘end point protection’ such as anti-virus software on all computers. Good anti-virus programs often provide protection through email filtering and website security. “These are just basic defense measures.”

“You can increase your defense, but it comes down to how much inconvenience you want to deal with,” said Ault. For instance, two-factor authentication requires a separate verification code to log into things like your bank accounts, email, certain websites, social media accounts. Often this code is sent separately to your phone, email account, or through a verification application registered with the account you are trying to access. From a business standpoint, you can limit who can make changes to your network or add programs or applications to your computers through restrictive administrative privileges. As a final word of advice, Ault noted, “Keep your guard up and trust nobody.”

Additional Information:
Passwords that are short and simple can be hacked nearly instantly by a computer. On the other hand, passwords at least 12 characters in length that contain upper case and lower case letters, numbers, and special characters could take years to solve. Tech Support Farm in West Fargo created a useful online cybersecurity course: www.techsupport.farm/training

SEC Requires Cybersecurity Plans for Filing Companies
Starting in 2023, the Securities and Exchange Commission requires companies to establish and disclose cybersecurity plans. The requirement is an attempt to protect investors by making sure reporting companies have a cybersecurity risk management strategy and report cybersecurity incidents. SEC Chair Gary Gensler stated in a July release announcing the rule, “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors.”

The Finance and Audit Committee is responsible for governance of the Golden Growers cybersecurity strategy and plan. The plan formalizes many of our existing strategies. In addition, the plan provides for assessment risks posed by third party vendors, an incident response plan, and a process for disclosure of incidents.

The Board wants members to understand how serious they are about securing and protecting their information, by effectively implementing protections through solid planning and oversight.