How to Protect Your Operation

February 24, 2025

More Info

Learn how to identify and manage financial risks within your organization while reviewing robust cybersecurity measures to protect operations. We’ll explore each topic in depth, providing strategies for mitigating financial exposure and countering modern cyber threats to ensure your operations remain secure and resilient.

The 2025 MI Ag Ideas to Grow With conference was held virtually, February 24 - March 7, 2024. This two-week program encompassed many aspects of the agricultural industry and offered a full array of educational sessions for farmers and homeowners interested in food production and other agricultural endeavors. More information can be found at: https://www.canr.msu.edu/miagideas/.

Video Transcript
Before we get started, I just wanted to put a little shameless plug in for our beginning Farmer Resource and decision making guide. Since this is part of our Beginning Farmer track at the MI Ag Ideas to Grow with Conference, we want to include this opportunity to provide some input into a guide that's being developed by MSU Extension and USDA for beginning farmers. So if you have a chance, we can show this again at the end as well, but please fill out that survey to let us know what you would need to know as you're becoming a farmer. I want to thank you to our sponsors, AgriStrategies, LLC that has donated to the conference. We also have some farm stress videos. We're not going to show one during today's session, but we'll provide, that is moving on its own. We'll provide this link and QR code afterwards as well if you'd like to watch those videos about managing farm stress. So without any further ado, I'm going to turn it over to today's presenters. Hey, thank you so much. My name is Courtney Ross. I work for Greenstone Farm Credit as our cultivate growth program manager. I'm going to let my counterpart today introduce himself and we'll get into how to protect your operation. Awesome. Thank you. I'm Matthew Cosgrove and I'm Greenstone's Vice President and Chief Information Security Officer. So thank you for the opportunity to speak with the group today. So we are going to talk about introductions, how we got here. We're going to touch on financial risk and coming from the viewpoint as a loan officer and what we look for. We're going to review some fraud trends that we've been seeing. Matthew is going to touch on some cybersecurity threats. We're going to talk about preventative measures, and then also provide some resources before wrapping up today. So if you've got any questions, feel free to let us know, and we can hopefully get those answered for you. Okay. So from a loan officer perspective here, we wanted to touch on how breaches in cybersecurity can have an effect on borrowing money and how you can be at even more financial risk, not just in ways that you may think. When you apply for a loan, one of the first things we do is pull your credit bureau report. So what we're looking at is what your credit score is, if you have any delinquent accounts, if you have any other derogatory reports on your credit bureau, such as collections or charge offs, you know, one thing that comes to mind is if someone is if someone has been able to get into your accounts or they've opened up accounts in your name that you're not aware of and then they don't make those payments, those can be sent to collections and have a negative impact on your accounts. The other thing that we look for in the branches is when you're transferring money. And basically, any last minute changes, and we'll touch on this a little bit more, but any last minute changes that if you call in and you've requested us to send money from a line of credit or from a loan, and what that looks like as far as how we're verifying that to make sure that it's been a true request from you versus someone that's maybe hacked into an email and requested that money be sent that isn't you. I want to share with you some current fraud trends that we're seeing to help make sure that everyone's aware of them. This is something that we talk a lot about internally as well. Check washing is one right now. Postal inspectors recover more than $1 billion in counterfeit checks and money orders every year. Check washing, what that is. And Matthew you can kind of correct me if I'm wrong, but if they get ahold of a check and they're able to change the name of where that check is going to. Government impersonation scams, the average victim of a government impersonation scam lost, um, I'm not sure what my number is there. But just remember that the government or the IRS, they're not going to call you and ask you to pay anything over the phone. So anytime that you get a phone call like that where they're saying that you owe money, just make sure that you're being aware of that and you're not just giving them a credit card number over the phone. Um, late changes to payment methods. I touched on this in the previous slide. If you're purchasing a piece of equipment or real estate, you'll agree on one method of payment. And then at the last minute, if we see that come through as someone trying to change that or if the seller contacts you to change that last minute after you've already agreed upon it, That's something that you're going to want to look into. Again, we see this a lot through email. So you're going to want to use the method of contact that you've been using previously to communicate with that other party just to be sure that it was them that truly requested it rather than just going off whatever is in that email. This goes for last minute wire changes with real estate purchases even. Um, and then lastly on this, just making sure that whoever has the equipment or piece of real estate for sale actually owns it, and that you're working through reputable sites when purchasing something. You know, if you see something on Facebook marketplace, that can be dangerous whether, you know, you agree to send them money, and then the piece of equipment actually, um, it was just kind of a scam and they didn't have the piece of equipment to actually sell. Okay. Go ahead, Matthew. So some of the tools to help, um, These are some ideas that we have here at Greenstone as well. If you're using online banking looking to an advanced ACH, this is an ability on your end to verify the ACH transactions to make sure that they're going to where they need to go. Wire transfers, same thing. This allows you to initiate your own requests, but just making sure too with wires that you're verifying how you received those wire instructions and that the money is going to the correct place. And then lastly, positive pay. You can initiate the payments, but only payments approved and uploaded to a matching file will actually be paid. So it's just another check on making sure where your funds are going and they're going to the intended party versus a bad actor that has gotten in between your transaction. Before I turn it over to Matt, I guess, I'll ask, are there any questions that anyone has regarding kind of when you look at it from a loan perspective, Okay. Then I will go ahead and turn things over to Matthew. Thanks, Courtney. I think the one thing I'll add before I move forward is all these items, you know, these tools aren't just things that Greenstone offers, but, you know, your other financial institutions have similar controls and tools to help protect, you know, your checking account and your savings accounts. All right. So I kind of want to start with the why we're here and why cybercrime, you know, we keep talking about it year after year. And just to put some context around it some color. In 2024, the total losses of cybercrime eclipsed 9.5 trillion. So that's a lot of money. We can all agree that that's a lot of money. We're going to see it hit 10.5 trillion in 2025. But when we look at, you know, 9.5 trillion, where did that actually stack up? I like to compare it to the GDP of countries. So if we look at the top ten GDPs and just kind of put cybercrime in there, it would actually be the third largest GDP out of our top ten countries. At its current trend, we're expecting cybercrime to eclipse China by 2030. If everything keeps up the way we're seeing it, we're expecting by 2030 cybercrime is going to eclipse about 20 trillion USD of losses. So this is kind of the why that we keep talking about and it becomes so important. And continues to be just because of the amount of losses that people are realizing with cybercrime. And it's the incentives for bad actors to keep doing it. So a lot of conversations that I have with other customers and is, well, what's the right approach for my organization or my operation? Should I be moving items to the cloud? You know, and I think that's a great question. But what we get down to when we talk about moving things out of the cloud is, you know, if you move your operations or move servers and technology to, you know, a SAS service, that doesn't eliminate the risk. It really just kind of changes the risk that you're up against. What we see with almost all of the data breaches that took place in 2024, at least the larger ones, these are all SAS services. These were all cloud services that either through misconfigurations exposed a large amount of PII and FII data, so personally identifiable or financially identifiable data. So according to Checkpoint, they're a security firm. They're saying right now that 92% of enterprises are having security incidents due to cloud misconfigurations. So when you get into some of those services, those technologies, there's a lot of knobs and dials to twist. So without a partner or someone to help you on that journey, it's very easy to have something misconfigured. And even, we look at just the current 2024 loss of data, You know, all these are giant organization, Fortune 500, Fortune 100 companies, and all these were misconfigurations. So probably the largest most recent breach that we saw this year was national public data, and they lost 2.9 billion records. So that data included Social Security numbers. What's interesting is most individuals don't know who national public data is, but they were a data aggregator used primarily for employment background checks. So they had aggregated over the years just billions of data points. Well, they had a breach and 2.9 billion of those records made it out into the dark web. You know, with AT&T, we saw a misconfiguration, that they lost 110 million records. So this was call records, right? It wasn't the Specifics of a call, but it was, you know, a number to and from and the time. It was the location date of calls, and then in some cases, encrypted pass codes. And then I'm sure everyone on the call has at least once received a letter from, you know, their hospital of a data loss. So we're seeing a lot with the health industry. Something to note is, you know, this sort of data is kind of like you would think of a commodity like oil or gold, and PII, so personally identifiable data, Social Security, driver's license numbers, actually so many of them are breached and they're out there. It's driven the prices down for bad actors. So that's actually pretty cheap data for bad actors to buy if they wanted to acquire a list of Social Security numbers. What's becoming more valuable and where we're kind of seeing the industry go is these bad actors are actually looking for HIPAA and health information. You know, they want to be able to use that to leverage blackmail attempts and then people's health records. So that's really where we're seeing more value and exposure is in the health industry right now. So I'll leave this slide up for just a second if anybody wanted to take notes on the URL at the bottom, but this is a search that was put together by some security researchers, and this is just to provide a sample of if any of your information was part of the national public data breach. Now, I would expect that everyone on the call is probably part of this breach, especially if in the last 20 years, 30 years you got a job and had to go through a background check. So when I ran that actually on myself, here's all the different data points that it accumulated of me of just different addresses, where I lived, and then the Social Security numbers and different phone numbers I had that I had been at. So what's the biggest thing that everyone can do on the call today to help kind of protect your identity and protect, you know, your financial peace of mind. So the big thing that, you know, we tell all of our customers, and, you know, I'm sure the Greenstone staff on the phone is sick of me saying this, but it is really recommended in today's day and age, if you haven't already done so, put a security freeze on your credit file through the three major reporting bureaus. This does add some legwork to the consumers. But putting that stop there and preventing anyone from being able to attempt to pull credit or open a bank account or opening a checking account under your name using your identity goes a long ways. This was this service was actually something that prior to the large Equifax breach, used to be a charge service. So something that came out of the Equifax breach in 2016, I believe, was the government came in and said, Hey, Equifax, you lost all this data. You're supposed to be a safe keeper of consumers reporting and credit information. You now have to provide a mechanism for consumers to be able to lock their credit report and unlock their credit report as part of your service. So that came down as a as law and each one of the reporting services now have to provide that mechanism. So I would encourage everyone today, if you haven't already done so, go out to these three bureaus. They all have a nice interface to lock your reporting bureau. You know, the big challenge that we see is when you go to get new credit or get a loan, you do have to ask that financial institution what bureau they're going to be pulling against so you can unfreeze your credit for that credit pull to happen. But a minor inconvenience to the actual protection that it provides you. So the big question that I hear a lot when I talk is, why does cybersecurity matter in agriculture? And I think for a long time, our thought was in ag that you know, we were kind of flying under the radar. Bad actors weren't really taking notice, and they weren't targeting our operations. But I can say after the JBS incident in 2021, what we're really seeing and kind of all the telemetry that we have is agriculture is under attack. It's under attack by the bad actors. They've taken notice. And what they realized is there's a concentration of services in Ag, so it's very easy with one attack to create a large disruption of the ag industry. And that was relevant and really came to light with JBS. For those of you on the call, JBS was a meat producer who suffered a cybersecurity attack, and it stopped most of the production in the US for about a week. So different threats that we see is a lot of the operations that I tour, even the smaller farm operations, I like to say that, you know, a lot of it is you guys are like technology providers. When I look at some of our dairy producers, you know, the technology that they have in their barns and the robotic milkers and the data they get from their cattle, you know, that's all, you know, stuff that you would see in a high tech world. But, you know, the automated tractors now that we see driving with GPS and the precision crop and planning data that we're able to glean. I mean, these are really, our current farmers are really high tech. So just a circle to JBS. So during this outage, this disruption, we saw 20% of the US beef and pork production was shut down. And again, I think this really brought to light some of the consolidation that we see with our producers in agriculture. Now, JBS, they were down for so long, you know, didn't have maybe a really sturdy business continuity plan, didn't have the DR plans that they needed, but they ended up paying the ransom of about $11 million. Now, what's really interesting in this case study is this company actually, you know, they worked with JBS to help them navigate paying the ransom. So there was, you know, if you would, customer support for this ransomware attack that worked with JBS to convert their US dollars to Bitcoin, so they were able to pay this ransom. And then great news now JBS has a customer for life because these organizations, these crime organizations will continue, you know, in some cases, kind of like the Mafia will stop other bad actors from attacking JBS in lieu of charges, right? So they kind of become the Hey, if you want to stay safe, we can protect you, but you need to keep paying us. And we see a lot of producers who are now getting involved in these kind of mafia agreements with bad actors to keep their operations safe after they've suffered an attack. In this particular instance, really what we saw and what came to light in some of the investigation was this was just a case of old outdated legacy equipment that wasn't being properly patched, and the bad actors were able to infiltrate and then move laterally across their network through that outdated operational technology. So this is a relatively new case study, but this is something that I've been following more, especially with how large some of our dairy producers have become and the reliance on robotic milkers for the herd. But this is a case where we had a bad actor actually take over and, um In fact, the robotic milking machines with ransomware, which shut down this producer's operation, and they held the machines actually for ransom. Now, in this case study, the farmer refused to pay the ransom, but did lose, you know, a heifer and some calves. But we're looking at, you know, total impact could have been, you know, his entire herd, which would have been about 70 cows in this case. So this was a vulnerability that was discovered on a milker that was actually misconfigured and exposed to the public Internet. So the bad actor was able to attack it. And we're seeing that a lot with all the equipment that some of our producers bring in and that farmers are bringing into their operations, you know, how do they protect all that equipment? Because I think a lot of it is they're relying on their partners and they're relying on the manufacturers to provide them that guidance. And in some cases, they're not getting the level of support maybe they need to be successful. So we'll talk a few minutes about, you know, what are some things that we could be doing now, preventive measures and best practices. And this isn't just for, you know, maybe your growing operation, but these are things that everyone could be doing in their home life as well. So when we look at preventive measures, I kind of think of it as, you know, the circle, the never ending circle. But the first item that everyone can do today and everyone should be doing is enable multi factor authentication on your email. I suspect a lot of you today have already done that. But if you haven't done that, that's my number one question and my number one answer of, you know, what's something I can do to protect kind of my digital life? That would be to enable multi-factor. So if there's one takeaway today, it doesn't matter what email service you're using. If you don't have it turned on, I would go and investigate getting multi factor turned on. So what is multi factor? So multi factor authentication really means it's requiring two forms of authentication to sign you into your account. So typically, your password would be something you know, and that's their traditional, you know, password that everyone uses today. And then the second form of authentication would be something you are, which could be biometric, touch ID for everyone that's using Apple or Android phones, think of that as like the face ID mechanism. It's also something you have. So it could be a text message back to your phone where you have to respond in a box with a number. And those are all items of multi factor. The next big thing that everyone can do today to make sure they secure their growing operations or their digital life is to make sure that we're patching and applying the software updates to our computers and our mobile devices. That goes a long ways. A lot of these use cases that I mentioned in the data breaches of 2024, most of them would have been prevented had those systems been patched. And what that really means is it's making sure that the software that's installed on those computers and those mobile phones is constantly getting updated as security researchers discover new vulnerabilities, and that patching is what applies that in those updates to the devices to make sure they're safe and secure. And this also includes on mobile devices, making sure you're updating your applications as well. Because as vulnerabilities are found, those individuals and those companies are releasing patches to make sure their systems are running, they're most secure. So the next item would be to use a password manager, and as hard as it is to use unique passwords for every site that you're logging into. You know, over time, humans, we've created this mechanism to remember passwords. You know, we've done things where, you know, an analogy that I have here is we did some penetration testing here at Greenstone, and we started looking at, you know, at the time, we had a less than 15 character password policy, but we started testing the season and the year. And what we found out was the majority of our staff were all using the season and the year as their password for their corporate password. Because as humans, we need something that's easily to remember, and we were creating a password rule that said every 90 days, you need to change your password. But we can't remember new password. So very easily staff were looking outside and saying, well, there's snow on the ground. My new password is winter. And by having a 90 day reset period, we were aligning to the seasons. So it became very easy to kind of get into that mindset. So this is where password managers help us overcome some of those issues because now we can create strong, unique passwords for every site that we're using and make sure then that there's only one strong password that we need to remember to get into the password vault. So those first three items are really, you know, it's something you can use in your personal life. It's something that you should be using in your operations. But the next three items really kind of go into, you know, where we look at and where I see some of our larger operations and even kind of new farmers, you know, who are just getting started. The biggest thing that we see is no one's backing up their files. So as your operation gets larger and maybe you're using, you know, a Quicken or QuickBooks to do your accounting or you have some different, you know, tools to manage your livestock in your herd, you know, making sure that you're asking those vendors, what is their procedure for backing up data? And then making sure you have a copy of that data off site. Not stored on the computer, but off site in case if there is an event, right? If a machine does go down, you have the means to restore your business and to restore your operation. And then testing those backups because a backup wouldn't do any good if the first time you go to use it, it doesn't work or you don't know how to restore the backup. So making sure you're testing the operations and the backup of those key systems and tools. The next item is, as your operation grows, you know, it's very common that in some of these barns, we see a lot of network access points, and I see staff using iPads and other devices, but making sure that you have some segmentation in those networks because that's what would stop a bad actor from moving laterally if they got inside your environment to other devices and systems. And then lastly, doing, you know, assessments and site surveys, you know, of your operation, making sure that, you know, you're not, you know, you don't have a system exposed. Sometimes, you know, we have situational awareness and we don't know what we don't know. So doing those assessments and bringing in those third parties can help identify risks and gaps that you might have in your environment. So I'll pause on this slide for just a minute and just ask the audience, does anyone have any questions around those preventive measures? All right. So just some resources for the group. So CISA, which is the Cybersecurity Infrastructure Security Agency. They have some really great resources for agriculture, some different checklists and different checklists. You know, they have some sample incident response and recovery plans. They have some different tools that individuals can use to scan their environment. And then they have a reporting number. If you are a victim of a cybersecurity attack, the information that you can use to reach out to CISA to report that event. Additionally, the FBI has the Internet Crime Complaint Center, and this is the central hub for all reporting for cyber enabled crime. But, you know, really where you would start if you're ever a victim of a cyber is local law enforcement. You know, here in East Lansing, Michigan State Police has their security operations center in their headquarters in Diamondale. But getting in touch with local law enforcement to report those incidents, and then they'll have you report to the FBI under CISA. So we'll see where this legislation ends up. So this was a bill that was passed towards the end of 2024, and this is the Farm and Food Cybersecurity Act. And this was just a bill that would require some annual cross sector simulations to help prepare for food related emergencies. So this is getting, you know, different producers together to do tabletop exercise, working directly with the Secretary of Agriculture to assess different cyber threats and vulnerabilities. And a lot of this was driven by, you know, the big one was JBS, It was driven by some breaches we saw with Tyson. But this was, you know, we'll see where it lands with the new administration. But right now, this bill is authorized for $1 million annually for those activities. So just some food for thought there. And then, really, just to say to the group, you know, cybersecurity, we are all in this together. This is not an individual, this is a group activity. So I would encourage all of you to collaborate with your peers, in your communities, other producers and making sure that you know, ask them, Hey, what are you doing for this? Oh, hey, we're doing this other thing and really talk through what it is because the food supply chain and cybersecurity really is everyone's shared responsibility. And I think with that, I would open it up for any questions from the group for Courtney or myself. So many of us are, you know, in the beginning Farmer group are fairly small. You know, and I look at this and I think, am I really going to be somebody that could get targeted? You know, I mean, why is it important and I think this is I think you brought up some really great points, but why do you think it's important for somebody who is in a small business like a lot of us to take this probably more seriously than we have up to this point? Yeah, great question. Thank you. What we're really seeing, we're not seeing the cyber criminals from a size target larger or smaller operations. In fact, probably what we see more of and what we hear here and what I see in different groups that I'm associated with here in Michigan. It's probably the smaller producers that are getting impacted more. I say that not to scare anyone here in the room, but because the bad guys know Hey, at a certain size of an operation, maybe you're doing some of these other, you know, we'll call them cyber hygienes, but at a smaller size, it would be easy to target you in your operation. So that's where, if I go back to that preventive measure slide, those first three items, as a small producers a small farm, you know, you're probably running your operation on your home computer. In fact, you know, even some of our larger producers are probably running their operation on their mobile phone. So making sure that your workstation is being patched, you know, that you have good AV software, making sure you have multi factor turned on your email address, doing some of those very basic kind of foundational cyber controls will go a long ways from being targeted because in a lot of the cases, the bad actors, you know, if you have a couple of your doors locked, they're not going to they're just going to go to another house with their doors unlocked. So making sure we do those simple things will go a long ways. I have a second question for Courtney regarding some of the banking information you started the conversation with. So I am very new to this process. Just opened our bank account a couple of weeks ago. And what conversation should I be having with my banker at this point? Sure. Are you talking as far as just like a checking and savings account or Yeah. Well, we just created our business entity, the LLC, and we opened a business banking account. We're going to be taking, you know, various types of payments, you know, that kind of thing. I don't anticipate loan needs right away, but potentially in a year or two. What are some of those early conversations we should be having with our banker? Yeah, absolutely. Matthew might have more to add from his perspective as well, but I would just say, you know, if you're going to be moving money in and out quite a bit, if you get into any online banking that you're making sure you're asking them, you know, what do they have in their online banking, you know, like the advanced ACH. What is there and then also what is their process and their protocol for sending wires or accepting wires, You know, I know, like we make sure that we are verifying if, you know, if you were to buy something and you sent us wire instructions, we're going to ask you how you received those wire instructions. We want to verify that you're getting those instructions from, you know, where you're intending the money to go from. So their procedure around wire transfers, and then what other options they have, like I said, in their online banking that you can use in positive pay, asking if they have that to help protect yourself around, you know, making sure that you can verify where your funds are going all the time. Thank you. What is safer, Mailing checks or wire or Internet transfers? Yeah, so they they all great question. And they all pose, you know, certain risks. So mailing a check, of course, you know, there's the opportunity that we see this quite frequently, the check getting intercepted and then getting whitewashed, where someone's refilling the check out You know, the using online services is a great way. If you have some of those other controls in place, right, a positive pay service or advanced ACH, the challenge with some of those wiring mechanisms is once the money is wired, it's gone, and it's very hard to get those funds back, especially with wiring. So where we see a lot of success is, if you are doing wires or ACH's, is to make sure that you're verifying who you're talking to as being, you know, the person they say they are, and then verifying the wire instructions or the ACH instructions to make sure that it's going to the right spot. And then with any transaction, you know, if there's a sense of urgency or last minute changes, that's when we tend to think that somebody has, you know, somebody else is in that conversation as well. Looks like we had one come into the chat, Matthew. Is using Zelle or Square considered safer? Yeah. So it goes back to kind of the SAS conversation earlier. You know, both those services are great because it helps remove some of the complexity. But really, it comes down to, you know, if you're taking payments and you know, online to make sure, you know, there's always going to be that risk there, but they're great payment services, either one of them. I wouldn't say one's more more safe or the other. Whenever we get into payment mechanism, payment services, there are certain regulations and items that those companies need to meet that they're both doing that. Great question. Thank you. Okay. One more question for me. Sorry. I keep asking. I know ACH. What is positive pay? So positive pay, what it does is it any check before they can clear, you have to verify those checks are being wrote by you. So it just prevents, you know, in the case of a check that gets whitewashed or gets, you know, intercepted or somebody, you know, is recreating your checks, positive pay wouldn't clear those checks until you submitted Hey, for this payer, it's this much. And then if something doesn't match what you've uploaded, it doesn't let that check clear. If there are no more questions, we can wrap up. I want to give a big thank you to Courtney and Matthew for sharing the presentation with us today. I certainly learned a few things, including that cows in milking machines are vulnerable. That was really an eye opener. So I appreciate you sharing some of those case studies and helping us to learn things to look out for and make sure we're keeping our businesses safe.

You Might Also Be Interested In

Michigan State University
  • Spartans Will.
  • © Michigan State University

MSU is an affirmative-action, equal-opportunity employer, committed to achieving excellence through a diverse workforce and inclusive culture that encourages all people to reach their full potential.

Michigan State University Extension programs and materials are open to all without regard to race, color, national origin, gender, gender identity, religion, age, height, weight, disability, political beliefs, sexual orientation, marital status, family status or veteran status. Issued in furtherance of MSU Extension work, acts of May 8 and June 30, 1914, in cooperation with the U.S. Department of Agriculture. Quentin Tyler, Director, MSU Extension, East Lansing, MI 48824. This information is for educational purposes only. Reference to commercial products or trade names does not imply endorsement by MSU Extension or bias against those not mentioned.

The 4-H Name and Emblem have special protections from Congress, protected by code 18 USC 707.

We comply with the Federal Trade Commission 1998 Children’s Online Privacy Protection Act (COPPA).