The United Veterinary Services Association (UVSA) has created Cybersecurity “Best Practices” recommendations to promote the safe, efficient, and effective operations for distributors, manufacturers, and suppliers of animal care products. The recommendations come in the aftermath of a ransomware attack that impacted more than 700 veterinary networks around the globe.
Best Practices for Our Members
- End User License Agreements (EULA): EULAs are now standard practice for those engaged in B2b eCommerce. EULAs should be in place for all users prior to allowing systems access.
- Site Access and Utilization Logging: Logging the access and utilization of site customer credentialed activity is necessary for EULA compliance monitoring and notification to users in the event of EULA violations or the event of a potential security breach.
- Multi-Factor Authentication (MFA): MFA is now a cybersecurity best practice for commercial and financial systems. Implementation of multi-factor authentication protocols should be in place as a required component for platform access.
- If full MFA implementation is not possible, consider requiring MFA for a subset of user actions focused on securing private party data (SSN, licensure information, etc.) and financial data (payment information, bank information, etc.).
- If full MFA implementation is not possible, consider using a CAPTCHA test to differentiate human vs. bot (machine) users for all access or to limit access to privacy/financial data (as described above)
- 3rd Party Access EULA: In the event that a 3rd party requires access to provide an authorized business application, each 3rd party should execute a EULA prior to receiving systems access. Such access should then be delivered only through an approved application programming interface (API).
- The API should allow access via unique 3rd party credentials and limit that access only to data required by the 3rd party for legitimate business operations. Use of the API can be subject to rate limits and data limits to ensure the e-commerce platform is not unduly loaded.
- A 3rd party EULA should clearly define acceptable platform use, limitations on platform use, security expectations for connected systems, security expectations for retrieved data, data usage limitations, and rights to audit access and data security/utilization.
The “Best Practices” recommendations were developed by IronNet, a cybersecurity company engaged by the United Veterinary Services Association (UVSA) as a subject matter expert, based on the work of the UVSA Distributor Working Group on Cybersecurity.
Why implement the cyber-security best practices?
More than 700-businesses in our industry have already been attacked, and cyber security breaches are a constant threat. One attack could cost you your business and your reputation.
Why invest in the added expense if my company has not been targeted in a cyber-attack?
Statistics show 80% companies have already experienced some type of security hack. Smaller businesses are targeted even more often due to a lack of investment on cyber security measures. A cyber-attack could mean a loss of revenue. A cyber attack could also mean a loss of confidential data which could make you vulnerable to competitors.
My company cannot afford to pay for the additional security measures. How can I justify the cost?
Can you afford not to put the protections in place? Look at the facts and statistics:
- 2019: 60% of businesses experienced phishing and social engineering attacks.
- 2020: The U.S. was the target of 46% of cyberattacks worldwide.
- 2021: Ransomware attacks increased dramatically. For example, The Colonial Pipeline ransomware attack affected the East Coast when It impacted computerized equipment managing the pipeline.
- 2022: More than 90% of cyber-attacks begin as spear phishing emails which can be blamed on human error.
- By 2025, the cost of cybercrime is expected to hit $10.5 trillion, according to Cisco’s/Cybersecurity Ventures almanac.
Will I be guaranteed against a cyber attack if the best practices are implemented?
There are no guarantees, but without the safeguards you could be more vulnerable to an attack. With the influx of sophisticated cybercrimes emerging, it’s not a matter of IF you will be targeted, but when.
Should I tell my customers about the added security measures?
Yes. Your customers and various stakeholders will appreciate the added security measures to protect their data as well. The added security will help build their trust in you. It will make you less vulnerable to any cyber-attacks and make your customers feel more protected doing transactions.