Cybersecurity is a growing concern for many LBM companies. While data breaches at large organizations often make the news, we know that businesses of all sizes are at risk. This month’s Real Issues survey comes via an email we received from an LBM dealer in the Central U.S. who wants to know how seriously other lumber dealers take the threat of cybersecurity and what steps he can take to keep his company safe.
As we do each month, we emailed a brief survey to our LBM Journal readers who have opted in to receive emails (if you’d like to be added to the list, contact operations@lbmjournal.com). This month’s survey included three short questions along with an opportunity to advise the dealer who had reached out to us about cybersecurity concerns at their lumberyard.
First, we asked readers how secure they feel their businesses are against a cybersecurity threat. The majority of respondents indicated that they are either very well protected or had taken some security measures. Only 3% indicated that their systems are not very secure.
We also asked readers how concerned they are that a cybersecurity event could occur at their business. Nearly 60% of respondents indicated that they are moderately concerned, while 32% said they are very concerned.
Finally, we asked readers how they would advise the dealer who asked, “As our business grows, and we’re more reliant on technology than before, I’m concerned about the potential threat of cyber-attacks on our business. We’ve heard the horror stories of how companies get hacked, how ransomware can effectively lock up a business, and how a phishing scam can trick even savvy team-members into sharing sensitive information or approving payments. I’d love to know if other LBM dealers view cybersecurity as a real threat, and what tangible steps they’re taking to protect their companies.”
Responses from lumberyards, building material dealers, and specialty dealers
“We view a cyber-attack event as a real potential threat even though we believe we have implemented sound protection practices. End user education is important. We require staff to complete monthly online security training. We also conduct periodic fake email phishing campaigns to test our users and train them to act as a human firewall. In addition to next-generation firewalls, email filtering, DNS filtering, logging, monthly outside network scanning, annual pen tests, and off-site backup, we implemented multi-factor authentication within the past year.”
“Have a savvy IT team and do what they suggest.”
“Email filtering and education, keeping computer OS and AV/EDR up to date. We have also added application whitelisting to our environment.”
“Train your staff as to what to look out for. Keep in constant contact with your staff as to the changes and the new threats that are going around to make them cyber-aware.”
“We subcontract IT professionals to advise on what protection we need. Our ERP is hosted remotely, and we have an IT admin on site who watches out and educates the team on phishing scams.”
“Yes, it is a real threat. I would recommend consulting an expert to find out what you can do to protect your system and ask them to advise you on training your employees what to look out for.”
“Our company has moved our daily backups to the cloud. We have increased our security through our software company. We have changed our email system to a protected system. We have added a cyber security insurance component to our insurance package in the event of a successful cyber-attack.”
“We don’t open attachments from unknown sources.”
“Have a cybersecurity expert perform a cybersecurity assessment and address any deficiencies.”
“I have experienced a ransomware cyber hack with another company that I worked for in the past; it was no fun. I have mentioned it to the company I work for now and they are doing what they can to not get attacked, although I am not part of that conversation and do not know what they are doing. I have my files saved in emails and on my desktop as a backup for job files. It is cumbersome to have to save twice, but I feel I always will need a backup to my backup after going through what I experienced.”
“Hire an IT staff and give them what they need to secure the business. The business can be attacked from a distance, so training and prevention are really the only answers.”
“Hire the best consultant you can find!”
“Contract with a qualified IT and technology security company that can advise you on the best methods to protect your business. Move your business technology systems toward a zero-trust model, and don’t deviate from that path.”
“We have purchased cybersecurity insurance. We have online cyber security training for all employees with computer access.”
“We utilize multiple levels of security: Enpoint (E-Set Antivirus) as well as managed security for our firewall, and we utilize MS Office 365 with an added layer of security protocols provided by ATCOM business solutions. We are very concerned about the prevalent threat of ransomware, having seen several of our vendor partners have their systems compromised, causing a lot of disruption, throughout the supply chain and affecting our customers as well.”
“Consult with a reputable company that specializes in this field.”
“Hire an IT expert to evaluate your system and implement upgrades if needed.”
“For small businesses, more often than not a cyber-attack is a random occurrence (someone opened an email or clicked a link they shouldn’t) and at that point it is usually just a virus. Not that a computer virus can’t wreak havoc on a business. Credit card fraud is a far greater threat (more frequent, and more costly) than cyber-attacks. At our store we have two networks. One is the business network that handles our point-of-sale system. That network is locked down. None of the computers on that network have access to the internet with the exception of a port that is open for software upgrades for the operating system and point of sales software. Also, any updates that are released are not implemented immediately. For example: Windows updates are delayed and are only installed when the system is down (Thursdays at 2 a.m.). All other computers, tablets, etc. that are used for internet related tasks (email, browser search) are on a secondary network. That way if someone does open an infected email and downloads a virus to their personal PC it cannot affect our point-of-sale system. Other than that, we have all your standard setup such as antivirus, firewall, etc.”
“Savvy team members don’t always directly translate into savvy technological users—especially in a business with an older workforce. Most of our issues stem from impersonation of customers, internal employees, and vendors. When we are successful at avoiding digital threats, it is because we know our client base and customers due to long standing and close working relationships. As it turns out, what the independent dealer does better than box store competition is also our greatest ally in deterring digital threats. Work closely with your customers. It’s not only good for business, but also good for security.”
“Yes, we view cybersecurity as a real threat. Depending upon your size, you need to get outside help on how to tighten up your cybersecurity risk. It is expensive and complex, and frankly you are never done.”
“Keep all devices and applications up to date. Employ a layered approach to cybersecurity utilizing SPF, DKIM, and DMARC. Train, train, train users to be cybersecurity aware. Use multifactor authentication across all systems especially as it pertains to privileged accounts. Create a cyber-aware culture within your organization.”
“Yes, it is a 100% real threat. The time and money lost are very real! Advice: Hire a third party to help. Even if you have an internal team, the third party is a necessary safety net and will offer valuable insight into how secure your business really is but beware of overselling. You do need protection but must also manage the risks and costs appropriate for your business.”
“You need a good firewall to keep people out and to filter unwanted email. Include constant warnings about not opening attachments unless you know they are legit.”
“We use a service called 1path to monitor our security.”
“We paid a cyber security firm to do an independent audit. We are presently working with them and our IT provider to evaluate options for improvements in our firewall, backups, system monitoring, internal practices, employee training, etc. We’ve long understood and taken steps to mitigate the impact of the risks to our business from fire, natural disasters, etc. Cybercrime is a new and growing risk that deserves the same attention.”
“Work on getting educated about potential threats. This is a hot topic right now and many are offering free webinars and informational reading. Next, when you have some basic understanding, talk to your IT professionals about how they are monitoring your network or how it should be monitored. Consider implementing some best practices. Then talk with your insurance agent about cyber coverages available. And last but certainly not least, consider training for your staff. People are the weakest link.”
“We are lucky to have a local firm that provides us support for IT issues.”
“We are at the mercy of our employees to not open any phishing scams. It has happened a couple of times, but we have had quick recoveries. Education seems to be the key, but we are so small that is about all we can do.”
“Have a backup solution and plan of action when a threat occurs. Also make sure you’re covered under your insurance for cybersecurity threats of some sort.”
“As a small, one location dealer (36 employees, $30 million in annual sales) we cannot justify a fulltime IT person and constantly upgrade their IT credentials with cutting-edge security evolution. We outsource all of our security with an IT consultant company who constantly monitors and upgrades our IT security.”
“You’ll need hardware enhancements, software additions, outside IT security oversight, insurance back-up copies, and external files. And lots of education and tests!”
Responses from wholesale distributors, manufacturers, and service providers
“We have moved most data storage from hard drives and into the cloud with multiple backups. In addition, we have turned to very robust virus/malware software to try to secure all data entry points. With so many of our team in remote locations now, it continues to be an issue we discuss often.”
“We use Knowbe4.com for our cybersecurity training.”
“I would urge them to contact their ERP provider and learn what they can do to assist in reducing risk.”
“We do consider it a threat and we train our people on how to better protect our system. Is it good enough? Honestly, we don’t know.”
“You are too reliant on technology. Real security comes from your people. Focus on them.”
“You need to protect your data and your systems form cyber-attack. The price you pay is too high if you get hacked—whether it will be in a ransom situation or worse, a destructive virus that wipes out your data. Invest in a good firewall. Train your staff on the pitfalls of opening emails they don’t recognize and searching on the web without any protection. You want to close all the gaps someone can use get into your system and cause havoc. These are good first steps.”
“I would tell this dealer that it is not a question of whether they will be hacked, it’s a question of when. The hackers will find a way to get into your system regardless of how much you spend if they want to bad enough. There’s not any amount of software that will protect your company 100%, but there are MANY small steps a company can take to protect itself from a cyber-attack. This starts by educating 100% of your workforce on the signs to look for in incoming emails. A company called KnowBe4 can greatly assist in educating your staff by using a series of video trainings and simulated attacks with instant feedback. Every computer user in your company will receive a pass/fail rating and you will know which employees are most prone to falling for phishing attempts. A company called Artic Wolf Networks monitors your system 24/7 and detects unsanctioned user access, and reports back to us. Trend Micro has anti-virus/malware software to install on all PCs and servers to prevent malicious code or website traffic… and there’s much, much more! All these products come with a price tag, but what is the cost to your business if your software gets ransomed and you lose your entire operating system?”
“Buy protection.”
“I take it seriously and we implemented some steps to prevent this. I’m not sure how strong it is, but we hired an expert.”
“We hired a third-party IT company to do an assessment and then followed their recommendations. We felt comfortable with their recommendations and so far, all seems to be working well. I highly recommend a third party. In house, or sole practitioners are limited and a bit myopic.”
“This is a very real exposure, most of PLM’s insureds have some cyber built into their policies. Whether they do or don’t, we see a steady stream of claims from lumber dealers…the coverage includes access to an online toolbox, which many insureds find helpful.”
“Find a trusted Managed Service Provider, and do your homework. Designate someone in your organization—a believer in technology—to work with said provider. Stay in front of cyber trends.”
“Absolutely, you cannot be too cautious. If you don’t have the in-house expertise, bring in a consultant to perform a security audit and then act on their recommendations. Be sure to include an analysis of your cyber insurance coverage in the audit.”
“It’s a real threat that, unfortunately, we’ve experienced. With the help of IT professionals, we recovered reasonably quickly, but it was not cheap.”
Hundreds of readers share their insights for this every-issue feature. Have a Real Issue? Contact Rick@LBMJournal.com. The reader who suggests the Real Issues topic will receive an LBM Journal Prize Pack including a cap, mug, pen, and more.