Why it’s time to think about cybersecurity

August 25, 2023 - By Christina Herrick

(llustration: pagadesign/E+/Getty Images)

How often do you think about cybersecurity in your landscape operation? Experts say you are more susceptible to hackers than you might think.

“I look at it as more of a matter of when are you going to get hit versus do you think you’re going to get hit,” says Mark Borst, president of Borst Landscape & Design, a full-service commercial and residential landscape company in Allendale, N.J.

Borst says his company’s IT department recently shut down his email because it kept getting hit by a hacker trying to reset his password.

Adam Scheinberg, vice president of information technology for Massey Services, No. 29 on the 2023 LM150 list, says no matter what size your operation is, you should prepare for a data breach.

“I tell people you are either going to get breached or you have already been breached,” he says. “I do think that’s the mindset everybody should operate with.”

Scheinberg developed 25 tips for effective cybersecurity after the Orlando, Fla., turf care, pest control and irrigation service provider faced a major security breach in 2019. While his full list might be daunting for many small businesses, he wants you to encourage your team to maintain healthy habits with passwords, logins and computer use. (View the entire list of 25 tips online here)

Educate your team

Both Borst and Scheinberg say educating your team about potential threats and risks is a critical step. Your IT team should develop a protocol if an employee clicks on a phishing email.

Borst Landscape & Design (now a part of the Mariani Premier Group) uses KnowBe4, a security training company that sends weekly cybersecurity and test phishing emails to Borst employees and reports back on the employees who clicked on those fake phishing emails.

“It’s all about security culture and training,” Borst says. “They’ll send you emails that look fishy; if you open them, we get a report that says you had three people in your office that opened the attachment. We share that info with everybody.”

Scheinberg takes it a step further with a zero-tolerance policy for interacting with real or test phishing links sent from the Massey team.

“We chose an approach that was no compromise,” he says. “You click on a link that you shouldn’t click on, whether it’s really a bad link or whether it’s one of our testing links, immediately we have a remediation process.”

Massey’s IT team disables the person’s account, changes the password and removes any device attached to the accounts. This approach might seem a bit extreme, but it helped foster a culture of accountability and safety when operating on the internet.

“At first, I would say people were frustrated,” he says. “Then we started to see the percentage of people who were falling for it drop dramatically. We always have some people that miss every month, but the percentage is within the range of what I would consider tolerable.”

Understand your risk

“We understand you might be willing to tolerate 5 percent to 10 percent of users still being reckless,” Scheinberg says. “We enroll people who fail into training, and it’s a 15, 20-minute training session that talks about phishing and spear phishing, which is highly targeted.”

He says spear phishing might come in the form of an email or even a text message that looks like it’s from Tony Massey, the president and CEO of Massey Services, asking an employee to purchase a gift card for them and take pictures and email them to him.

“We encourage people to pick up the phone and make a phone call or reach out on Microsoft Teams or reach out in some other method,” he says to verify whether the email or text is real.

Multifactor authentication

Borst says his company added multifactor authentication for crew members to access his operation’s systems and email. A multifactor authenticator is a security tool that adds an extra layer of protection by requiring multiple forms of verification, such as a password and a unique code sent to a mobile device, to verify the user’s identity before granting access to a system or account.

Don’t get alert fatigue

Along with educating your employees about responsible and smart behaviors on the internet and with data, Scheinberg says it’s easy for employees to get what he calls “alert fatigue.”

Yes, you want to take steps to educate your employees on potential issues, but not to the point that your team disregards anything your IT team might send in terms of warnings and advice. Alert after alert makes it easy to dismiss and ignore messages.

“If you’re warned about something every single day, then when there’s a real problem it’s just another alert that you get every single day,” he says.

Make it unique and keep it safe

Scheinberg encourages those reading this article to exercise caution when using and reusing passwords.

“My expectation is that your login to our system is unique and not used anywhere else,” he says. “What I’d really like to move to is 12-, 15-, 20-character passwords that never expire and teach people to use the term passphrase instead of password.”

By passphrase, Scheinberg says, approach it like a string of words, characters and letters that connect to an idea, thought or sentence. He also encourages operations to deploy password managers, which add a level of protection. Massey uses 1Password, but other password managers he recommends include Dashlane, KeePass and Bitwarden.

“It is a major change in behavior, but everybody can do this and it’s worth the investment of time to make the change to up your security by 1,000 percent,” he says. “I really think you’re making yourself 10 times more secure when you have complex passwords everywhere. And once you do, it doesn’t matter if the password is eight, 10, 12, 15, or 35 characters. Once you’re in that habit, it’s all the same.”

He recommends companies create unique logins for each employee for common software and applications instead of sharing accounts for added safety. This also means upping your operation’s security measures for anyone who accesses your system remotely.

Patch and patch again

It’s easy to ignore the pop-ups on your computer reminding you of a pending software update. But these patches often provide critical security updates for computers Scheinberg says.

“There are too many vulnerabilities out there and you need to have a process to update the things on your network,” he says. “Anything that touches the internet directly has to be updated. Oftentimes it’s just run the software update tool on your local PC or server or iPad or whatever.”

Think about insurance

Borst and Scheinberg say companies might want to consider cyber insurance. A data breach can be expensive. It’s important, of course, to talk with your insurance provider to find the right coverage.

“Even going back 10, 15 years ago, we would have on our insurance policy terrorist coverage, and we would always deny the terrorist coverage,” Borst says. “With cybersecurity, when they hack, that’s considered a terrorist threat. We don’t deny it on our insurance any longer for that reason.”

Start small

Employees at a landscape operation likely run the gamut from tech savvy to tech fearful. Scheinberg says it will always be a challenge for an operation to be completely free from cybersecurity threats. Smaller companies might find it challenging to deploy some strategies to keep systems safe.

When it comes to prioritizing the potential threats, he says, “The right way to approach it is you look at (my list of 25 tips) and you say, ‘How can I make a difference?’ ‘Where do I chop away so I can get down to something that’s manageable?’”