While many think of the banking system, the electric grid and major retailers as the target for cyber-attacks, all companies—including pest-management firms—can find themselves in the crosshairs of a cyber-criminal, said Ari Rogoway, IT director of Sprague Pest, the largest commercial-only pest control company in the Western U.S.
“It isn’t a matter of if you are going to face a cyber-attack, it’s a matter of when,” said Rogoway, who has boosted Sprague Pest’s cybersecurity in recent years in response to a couple of computer phishing attacks that had the potential to tarnish the company’s reputation. Phishing is when a cybercriminal sends an email to a user—or often a host of users within a company—in hopes that a few will open an attachment, giving them access to all the information on the users’ computer. In Sprague’s case, the cybercriminals entered the system through a phishing scheme, accessed the user’s email contacts, and sent a fake bill—using the compromised employee’s email address—to a customer. “Phishing happens every day,” Rogoway said. “In a successful phishing attack, the criminal has access to all files, including email contacts, and, in some cases, sensitive information, like employee information and the billing system.”
While many companies seem most afraid of a ransomware attack—when cyber-criminals enter a company’s computer system, shut it down and demand payment before returning access and control of the system to the company—phishing schemes are a far greater threat, he said. “Frankly, ransomware attacks are some of the easiest to combat. If you are using a shared-file systems with automatic backup, IT can recover virtually all files relatively easily,” Rogoway explained. “But phishing is very difficult to combat. Statistically, it’s 64 times more common than ransomware, and the average cost of a single successful phishing attack is $130,000 per incident.”
That’s why Sprague has focused heavily on working with every employee to ensure they are all doing their part to prevent a cyber-intrusion. “The biggest threat to our computer systems is our own people,” he said. “We don’t need a smarter IT group; we need a smarter team of employees.”
The good news is that there are proven techniques to help employees learn to protect the company and themselves from cyber breaches, he said. “It isn’t just about having a firewall or preventing a denial-of-service attack, it’s about making sustained efforts to protect individual users and teaching them how to guard themselves from attacks,” Rogoway said.
Sprague’s focus is employee awareness, he said, including cybersecurity training for all new and existing employees, regular emails on emerging cybersecurity threats and tips to avoid attacks, town halls and routine tests to simulate fake emails. “If they click the link, they automatically get additional training,” Rogoway explained.
Companies looking to set up cybersecurity training should try to make it transparent and supportive, he added. “You don’t want to be punitive. You want to use test failures as a teaching moment. And you need all employees—from top management to an intern—to know that it is imperative not only for the company, but for them, to prevent cyberattacks. There has to be trust between the company and its employees,” Rogoway continued.
The consequences of a successful cybersecurity breach are enormous. Individual employees can lose money or fall victim to identity theft with a successful cyber intrusion, he said. The company risks ruining its reputation, paying out money to cybercriminals, higher insurance rates and losing employee time (the administrative costs) to detect, remediate and investigate an attack, Rogoway explained.
“If cybercriminals are sending out fake bills to your customers, you can be sure that those customers are going to be angry,” he said. “The job of a pest control company is to safeguard their client’s reputation. Their reputation is damaged if a customer sees a roach or rat in a restaurant. They are going to question your professionalism and your ability to do your job if you can’t protect your computer systems.” While many companies and industries are affected by cyberattacks, that will not matter to your customer if it becomes a victim because of a fake bill sent from you, Rogoway explained.
Sprague found the best way to encourage its workers to take cybersecurity seriously was to link it with its ongoing safety program. “Safety is a major priority for our company. We want fewer safety problems, so we measure that and reward on that,” Rogoway said. “Cybersecurity is now bucketed with safety, so our employees are measured and rewarded on that too.” He explained that a safety incident can cost $20,000 to $100,000 based on the incident; the cost of a cybersecurity breach can be equal or greater.
While starting up a cybersecurity program can seem daunting, it’s important to remember that it’s a process, and that you must take it one step at a time, Rogoway said. “I believe in stacking. Because not one thing is a silver bullet, you can implement changes and technology gradually,” he said, adding that having “some sort of cadence”—whether once a week or once a month—is important.
Developing a roadmap for a cybersecurity program is also imperative. The company should build that roadmap after doing a threat assessment, he said. “You want to look at all the assets you have, what you want to protect, where the greatest threats are, and what information would have the greatest impact if systems are compromised,” Rogoway said. “For me, it’s email. Everyone in the company uses email. Email is a huge target, and if there is a breach, it can be very damaging.” When a company does a threat assessment, it may decide that protecting the field-service system is down the list of priorities, but email and accounting systems are higher up, he explained. A company may want to pay special attention to the systems of executives or others with access to the most sensitive and confidential documents, Rogoway added.
Rogoway also recommends that the IT department conduct plenty of research as it steps up its cybersecurity protocols. “If you are having email problems, there are solutions. If you do a little research, you can easily find out the best fixes,” he said, noting that the Compliance Center component of Microsoft Office 365 includes an enormous help library, including best practices. “It’s been a great tool for me,” he said.
The final step is to educate and train consistently. “Cyber threats evolve and change every day,” Rogoway said. “Not only do you need to keep abreast of the latest dangers, but you must ensure that your users—the employees—know about them and how to avoid them.”