6 reasons why farmers are losing sleep over big data security

farm-combine.jpg

Farmer Chris Jones demonstrating how precision technology works.

Farmers see the advantages of big data capture and analysis. They also see what happens when big data is turned over to third-party vendors — Agricultural Technology Providers (ATP) in their case — without any thought given to who retains ownership of the data and what it can and cannot be used for.

More about Big Data

To their credit, farmers and ATPs decided it was in everyone’s best interest to work together. Back in 2014, the American Farm Bureau Federation, principally Mary Kay Thatcher, senior director of congressional relations along with members of organizations representing farmers and several notable ATPs such as John Deere, DuPont Pioneer, and Dow AgroSciences came to an agreement, leading to the creation and signing of Privacy and Security Principles for Farm Data (PDF).

One of the most interesting tenets of the document discusses who owns the data:

“We believe farmers own information generated on their farming operations. However, it is the responsibility of the farmer to agree upon data use and sharing with the other stakeholders with an economic interest, such as the tenant, landowner, cooperative, owner of the precision agriculture system hardware, and/or ATP etc. The farmer contracting with the ATP is responsible for ensuring that only the data they own or have permission to use is included in the account with the ATP.”

This type of cooperation appears to be unique to the agriculture industry.

SEE: How big data is going to help feed nine billion people by 2050

Fast forward two years

Katie Hancock is an agricultural commodity marketing consultant for Brock Associates. Besides understanding the marketing side of farming, Hancock, who with her husband manages a 5,000-acre farming operation, has a good idea of what’s going on in the fields.

katie-hancock.jpg

katie-hancock.jpg

Katie Hancock

Image: The Farm Journal

Hancock decided to look at what, if anything, has changed since the consortium came to their agreement. In her post 7 Data Security Concerns Farmers Can’t Ignore for The Farm Journal, Hancock starts out saying data security is still a huge concern among farmers. “Precision technology makes us the best we’ve ever been at what we do, but the integrity of our data remains a question,” writes Hancock. “It’s important to discuss why we are hesitant to embrace information technology.”

As to why farmers are reluctant to embrace IT, Hancock offers the following reasons.

1: Self-sufficiency

To survive, farmers are becoming ever more sophisticated; besides understanding agriculture, they are skilled in business and digital technology. Hancock suggests that diverse acumen is why farmers are not impressed with the analysis results they are seeing. She adds, “Farmers know their land better than anyone, so can this (externally-analyzed data) be valuable?”

2: Privacy

Farmers typically know everyone they deal with personally, and prefer conducting business on a one-to-one basis. “Some share general practices with neighbors and advisers, but nothing as detailed as acre-by-acre data information, much less with a complete stranger,” writes Hancock.

3: Competition

Hancock is concerned about the risk of data, such as crop yields, getting into the wrong hands, being made public, and used against the party providing the information.

4: Little or no say

Precision farming requires a significant outlay of time and money — upwards of $30,000 per tractor. Hancock says farmers, after that kind of investment are frustrated when they have no say about where data from the installed equipment is sent and how it is used.

5: Detail

Hancock is concerned about the amount and types of data being collected. “Beyond location or production, precision technology is tracking inputs, speed, and time,” she writes. “There are things being tracked we don’t even know about or consider valuable. It goes beyond a good or bad spot in a field.”

6: Distrust

Farmers in today’s world, writes Hancock, distrust outside influences they feel are unjustly attacking them. And if that is the case, big data captured from farms might add even more fuel to that fire.

What’s the answer?

Hancock is not down on data technology — it is and will continue to help farmers. Her concern is the cost. “From the outside it’s easy to think ‘Wow, those farmers are paranoid,’ but very few business owners in any sector would want to hand over this volume of detail,” notes Hancock. “Data technology is a precious jewel and farmers will continue to protect their investment in it.”

A question that might need to be asked is: If farmers are so concerned about big data security, why aren’t the rest of us?

Also see

5 best practices for reducing third-party vendor security risks

Image: iStock

More and more businesses are off-loading in-house operations to Third-Party Vendors (TPVs). The incentive? It saves money. Off-loading functions also afford businesses the ability to focus on their core competency.

However, more often than not, off-loading a function also means giving an outside organization varying degrees of access to a company’s network and/or data. And as we all know, this can lead to issues.

More about IT Security

Many of the companies experiencing issues from co-opted TPV access are outfitted with full-blown IT and security departments. One has to wonder where that leaves small business operators with little or no IT and security expertise?

Interestingly, that usually means relying on TPV consultants to help set up and maintain whatever IT needs are required, which of course means more remote access. Hmm.

SEE: The 15 most frightening data breaches

How to diminish TPV access issues

Lisa Kahn Little writing for The Business Journals offers the following suggestion: “A good vendor management program can enable a business to mitigate risks, help control costs, and drive service excellence to maximize value from their vendors.”

As to what constitutes a good vendor management program Kahn Little enlists Jorge Rey, director of information security for Kaufman Rossin, to shed light on what that means.

1: Manage the selection process

The first concern of Rey is the services being considered for outsourcing. What kind of information access will TPVs have? If a vendor being considered will have access to sensitive data such as customer information or company financial records, additional scrutiny during the selection process is advised. “Do your due diligence,” suggests Rey. “Take your time selecting a vendor by creating a list of possible companies, evaluating their proposals. and reviewing your requirements to find a good fit.”

Additional suggestions from Rey:

  • Examine the credit history of potential vendors
  • Ask how long has the company been around
  • Determine whether the company has had any legal or financial issues
  • Look into the potential supplier’s internal security practices
  • Check whether they have comprehensive information security policies and recovery plans in place
  • Ask if they perform regular data backups, internal security audits, and background checks on the employees who will have access to client data

2: Understand vendor contracts

Rey advises that contracts should be transparent, flexible, and concise. Flexibility is essential if there is ever the need to change providers. Contracts should include the following:

  • Services being provided
  • Duration of contract
  • Confidentiality clauses
  • Right to audit
  • Contingency plans

“As a business owner, it’s important to understand service-level agreements, including ramifications for vendors who fail to meet them,” explains Rey. “It also helps to set up next-step procedures, in case a relationship with a vendor ends.”

Something else to consider: keep a copy of the contract off-site in case of a disaster.

3: Monitor vendors’ performance

Rey feels it is important to ask the following questions at regular intervals:

  • Is the vendor meeting the terms of the service-level agreement?
  • Are deadlines being met?
  • Is the quality of the product or service up to specified standards?

4: Continue in-house monitoring

To catch issues early, Rey feels it is important to keep track of company financials and data security. “It’s a good idea to monitor accounts payable on a regular basis and stay aware of what’s happening with cash flowing in and out of your company,” mentions Rey. “Establishing an information security program and implementing proper internal controls can help you detect potential issues — whether with vendors, employees, or otherwise.”

5: Use vendor non-disclosure agreements (NDA)

There is a need for NDAs if the TPV has access to sensitive company data, in particular, customer data. As to why, Rey adds, “An NDA can help protect your company’s critical data, which you would not want to end up in the hands of a competitor or the general public.”

SEE: Tech Pro Research’s Vendor Relationship Management Checklist

Additional tips about the selection process

Heinan Landa, CEO of Optimal Networks, writing for The Business Journals offers an interesting suggestion for those responsible for selecting TPVs. “After spending 24 years in the Washington, D.C., technology scene, I’ve come to recognize the signs of a quality provider and the red flags that should have you running full-speed in the opposite direction,” writes Landa. “Many of these indicators will be apparent in the first document you receive from your would-be vendor: the proposal for support.”

Landa recommends paying attention to the following:

  • Clarity: Jargon is out. If the contact is confusing, Landa suggests there is a good chance for issues down the road.
  • Personalization: The proposal should reflect the company’s needs and not a cookie-cutter proposal.
  • Appearance: How the proposal is presented is indicative of the vendor’s effort now, and likely in the future.

“The look and feel of your proposal are important because there is generally a direct correlation between appearance and effort,” explains Landa. “This is not to say the flashiest proposal is the best, but it is to say that a few pieces of tattered paper shoved into a folder are probably indicative of a lower level of commitment when compared to a cleanly-formatted, meticulously organized, colorful, bound document.

References and testimonials

Both Rey and Landa place a lot of stock in what a potential vendor’s existing clients think.

  • How do the vendor’s current clients feel about them?
  • What was the onboarding process like?
  • How communicative are they?
  • How deeply do they understand both the client’s network and their overall business objectives?
  • How does the potential vendor treat its employees?

Consider the irony

It might very well be that smaller organizations will not have the time or ability to set up a vendor management program. There are, however, providers offering that service. If that is a consideration, you should also think about using the advice offered here to vet their proposals and service offerings.

Also see

CISO Still Viewed As Tech Not Business Leader

RSAC/ISACA study shows only one in seven CISOs report to CEO.

While the majority of enterprise boards are well aware of cybersecurity risks to their overall corporate risk posture, most chief information security officers (CISOs) are still relegated to technical teams, according to a study out today by ISACA and RSA Conference.

Conducted among over 460 security professionals, the survey showed that 82% report that their board of directors is very concerned about cybersecurity. But at the same time, only 14% of CISOs actually report to the CEO. Instead, the majority–63%–report to the CIO.

“The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue,” said Jennifer Lawinski, editor-in-chief for the RSA Conference. “This survey highlights the discrepancy to provide an opportunity for growth for the infosec community in the future.”

The good news is that the majority of security professionals say line-of-business leaders are backing them up with executive support for things like policy enforcement and adequate funding. Often, though, executives work under a double standard and only about 43% of infosec leaders report that these line-of-business leaders are actually following the same policies they demand of the rest of the organization.

Overall, security leaders also believe there’s improvement needed across the security ranks when it comes to on-the-job skills. Compared to the same survey last year, there was a 12-point drop in the percentage of security leaders who were confident in their team’s ability to detect and respond to incidents, dipping down to 75%. Within that group, six out of 10 do not believe their staff can handle anything beyond simple cybersecurity incidents.

As things stand, 62% of respondents say that it takes at least three months to fill an open position and 59% say that at least half of the applicant pool for jobs they fill are not qualified to fill a position. Approximately 75% say one of the biggest skills gaps they see within the infosec workforce is workers’ inability to understand the business–an eye opening stat considering the CISO’s positioning in the corporate pecking order.

Related content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

Apple lawyer says meeting FBI demand would help hackers ‘wreak havoc’

(Image: file photo)

Apple’s general counsel will tell members of a congressional committee on Tuesday that the FBI’s demand to unlock an iPhone used by one of the San Bernardino shooters will set a “dangerous precedent.”

Bruce Sewell, the company’s chief lawyer, will testify to members of the House Judiciary Committee that while the company has “no sympathy for terrorists,” the government’s demands would “weaken the security” for every iPhone.

The general counsel will argue in his opening remarks that the government is “asking for a backdoor into the iPhone — specifically to build a software tool that can break the encryption system which protects personal information on every iPhone.”

“Building that software tool would not affect just one iPhone,” the remarks added.

Earlier this month, US judge Sheri Pym ordered Apple to provide “reasonable technical assistance” by building and providing software that would allow federal agents to beat a security feature preventing the phone from erasing after a number of failed unlocking attempts.

Federal agents have been trying to gain access to the iPhone, used by Syed Farook, who along with his wife, Tashfeen Malik, murdered 14 people in San Bernardino, California in December 2015.

Apple last week filed a motion to dismiss the case, arguing that the case could be used by other courts to make similar demands.

“Once the floodgates open, they cannot be closed, and the device security that Apple has worked so tirelessly to achieve will be unwound without so much as a congressional vote,” the motion read.

FBI director James Comey conceded in testimony to the House Intelligence Committee last week that the case could “guide how other courts handle these requests.”

Sewell’s full opening statement can be read below.

more coverage

Measuring Security: My ‘Dwell Time’ Obsession

How I discovered the critical metric to fuel my drive to create the most secure environment possible.

Throughout my military career, I had two- and three-star generals ask — no, demand — that our security and operations center have measurable cybersecurity metrics. They’d challenge me with the same gamut of questions: “How do you know we are making a difference? Are we getting any better? How do we calculate our return on investment if we don’t know what to measure?” 

I retired from the U.S. Army in 2012. I was never able to answer any of those demands for “good” cybersecurity metrics.

One of the metrics I talked myself out of providing was our number of infected hosts. Is a low number good or bad? If it is low, I am paranoid that I am missing threat activity. If the number is high, there’s a bigger problem at hand. No matter the number, you can never find the denominator (i.e., the actual number of infected hosts). 

From there, I considered another metric: number of security events. This caused me concern as well. Most complex environments detect billions of daily security events. It is impossible to characterize them as true positives or false positives. Plus, I can’t be sure of the number of dreaded true negatives. How many events evaded detection by our security sensors?

Nothing felt informative or effective.

After I left the military, I finally figured it out. I was fortunate enough to manage an incident response and forensics team. Everything a forensics teams does in their investigations is in the context of the Kill Chain. This is the seven-step sequence of events that must occur for a threat actor to achieve their objectives (e.g., steal or destroy data). 

While examining the Kill Chain, the idea dawned on me. I could measure the one variable that a threat actor had to have in order to be successful: dwell time in the network. I needed to eliminate or reduce the amount of time they have to complete the Kill Chain. That’s it. If I could limit dwell time, the threat actor would not have what they needed to progress through the Kill Chain.

Dwell time, which is the duration a threat actor has in an environment before they are detected or eliminated by the security team, is something I could measure fairly accurately with a good forensics investigation.

There are a number of well-known dwell time benchmarks to get a good baseline to measure against. Most of the major annual cybersecurity reports now cite the average dwell time number as being over 200 days. We can do better. We must do better.

With this renewed focus, I centered my security strategy around reducing dwell time by: 

  • Leveraging hardened CIS server builds
  • Building an aggressive patching program focused on the most likely targeted servers in our data centers
  • Using on-access scans for anti-malware tools
  • Integrating traffic-shaping at that edge, with IP reputation management, to remove the noise for network intrusion detection and Layer 7 inspection
  • Deploying a ‘zero-trust’ model in provision servers (i.e., only ports and protocols required for operation are open)
  • Leveraging a SIEM with great correlation 

Dwell time is my obsession. Through diligence and careful process, we continue to see this number drop in our customer environments. This change in thinking rallies the team around one standard (measuring the amount of time from detection to eradication) that is quantifiable and can be leveraged to calculate the effectiveness of a security strategy and overall posture.

No metric is perfect. But any other approach has too many unknowns that will overrun you with false positives. Until a new standard is found, dwell time will continue to be my obsession.

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Officer at Armor, Jeff Schilling (Col., rtd.) is responsible for the cyber and physical security programs for the corporate environment and customer hosted capabilities. Jeff retired from the US Army after 24 years of service in July 2012. In his last assignment, he was … View Full Bio

More Insights