By Jodi Borger
In today’s digital landscape, cybersecurity is more than just a buzzword — it’s a critical responsibility. Organizations, especially electric cooperatives, must navigate an increasingly complex world of cyber threats to protect their members, operations, and sensitive data. Co-ops such as Paulding Putnam Electric Cooperative (PPEC) — which serves parts of Indiana and Ohio — and NineStar Connect in Greenfield, Indiana, are leading by example, showing that vigilance, education, and innovation are the keys to staying ahead of cybercriminals.
By adopting advanced technologies, creating a culture of cybersecurity awareness, and prioritizing constant improvement, these cooperatives are establishing themselves as industry leaders in protecting their cooperatives and their members.
Proactive planning
The key component of any successful cybersecurity strategy starts with proactive planning and action. For PPEC, a critical step toward better security was the transition of its server infrastructure to the private cloud. This enhancement improved the co-op’s disaster recovery capabilities, provided immutable backups, and reduced the time and resources spent managing physical servers, which was important to Todd Taylor’s team of two.
PPEC IT Manager
“It gave us better disaster recovery, permanent backups in the cloud, and took a lot of the network and day-to-day management off of our plate,” said Taylor, IT manager at PPEC. “That helped a lot, allowing us to focus more on the cooperative initiatives instead of dealing with servers, space, and connectivity.”
This strategic decision not only enhanced security but also positioned PPEC as a trailblazer, particularly
in Ohio.
“We were the first co-op in Ohio to migrate our infrastructure to the cloud,” said Taylor, highlighting their commitment to staying ahead of the curve.
Taylor noted that at PPEC, cybersecurity is a high priority for the cooperative board, ensuring that adequate resources are allocated to stay ahead of emerging threats.
Similarly, NineStar Connect has taken significant steps to secure its operations. Routine security assessments and vulnerability scans ensure any weaknesses are identified and addressed as soon as possible.
NineStar Security Services Director
“Cybersecurity is the responsibility of everyone, inside and outside the co-op,” said Shira Dankner, NineStar Connect’s director of security services.
Both co-ops also rely on robust firewalls, intrusion detection systems, and penetration testing to shield their systems from unauthorized access and malicious activities. Regular updates to software and hardware supplement these measures to ensure known vulnerabilities are quickly patched.
The importance of employee training
While advanced technologies are important when it comes to cybersecurity, the human element remains the first line of defense — and often the weakest link. Both PPEC and NineStar Connect recognize this reality and have invested in employee training to combat phishing, one of the most common and effective attack methods cybercriminals use.
PPEC uses the KnowBe4 platform, which employs artificial intelligence to create realistic phishing email simulations for employee training. These exercises teach employees how to spot and respond appropriately to suspicious messages.
“Before, you could look at a phishing email and think, ‘This looks a little weird,’” said Taylor. “Now, with artificial intelligence being thrown into the scenario, it’s very hard to detect.”
To encourage participation and create a positive culture around cybersecurity, PPEC implemented
an incentive program. Employees
earn points for successfully identifying and reporting phishing emails, which can be redeemed for gift cards and other rewards.
“There are incentives to have them report suspicious emails,” Taylor said. “It’s helped employees become much better at recognizing phishing attempts and sending them to us for further analysis.”
NineStar Connect has taken a similar employee-focused approach. Simulated phishing emails are tailored to each employee’s skill level. Those who frequently click phishing links receive simpler emails to build their confidence, while more advanced users face more sophisticated challenges.
“In an ideal world, you don’t click anything, but that’s not realistic,” Dankner said. “If you get to the top rank, it’s going to be the hardest one that the system can throw at you.”
By empowering employees through training and incentives, both co-ops have cultivated a workforce that is alert, educated, and engaged in the fight against cyber threats.
“What keeps me up at night is somebody clicking on an email,” said Taylor. “All our data is encrypted, and we have all the things in place that are common sense, but it’s that one we can’t control. It only takes one click, and then everybody is going to have a bad day.”
Other forms of protection
Beyond employee training, technical defenses are critical to maintaining strong cybersecurity. At PPEC geo-locking has been implemented for Office 365 accounts, restricting access to U.S.-based locations to prevent unauthorized logins.
“The only way a co-op employee can access their Office 365 accounts is from within the United States,” said Taylor. “If they’re going on vacation out of the country, the employee will need to notify IT in advance to exclude them from the policy and allow them to gain access to their account.”
This geo-locking strategy has proven effective in mitigating login attempts from foreign actors. It also highlights PPEC’s proactive approach to limiting vulnerabilities.
NineStar Connect complements its technical measures with multifactor authentication (MFA), firewalls, and intrusion detection systems.
Although MFA, which requires users to provide more than one password to log in to an account, can be inconvenient, Dankner stresses its importance.
“No one likes MFA, and I believe MFA is incredibly important, but I’ll admit I hate clicking it, too,” said Dankner. “It’s the nature of the world we live in, but we don’t have a better alternative.”
As technology advances, so do the tools and tactics used by cybercriminals. Artificial intelligence has become a double-edged sword, aiding both defenders and attackers. It enables cybercriminals to create highly convincing phishing emails and launch targeted spear-phishing campaigns using stolen data, and that goes for all companies, not just cooperatives.
“Augmenting traditional phishing tactics with artificial intelligence is one good example,” said J.D. Henry, Cybersecurity Advisor for Indiana with the Cybersecurity and Infrastructure Security Agency. “A threat actor can also collect stolen user data and employ AI technology to create highly targeted spear-phishing attacks that may not immediately be identified as malicious.”
To counter these advanced threats, cooperatives rely on 24/7 monitoring and cutting-edge detection tools. Continuous scanning of systems and networks allows for quickly identifying suspicious activity, ensuring timely responses to potential threats.
“Social engineering and phishing-type attacks remain highly effective, and a key preparedness step is to continue the investment in training people to identify and report those activities,” Henry emphasized.
Protecting members
When it comes to cybersecurity attacks and threats, there is no one-size-fits-all approach for cybercriminals.
“Some organizations feel they are too small to be a target and don’t invest in cybersecurity practices,” said Henry. “There can be a misunderstanding that threat actors often discriminate in targeting their attacks. In reality, any organization or individual with valuable data is a potential target.”
For cooperatives like PPEC and NineStar Connect, cybersecurity isn’t just about protecting their own operations — it’s also about helping members protect themselves.
“Cybersecurity is a team sport,” said Henry. “It requires collective efforts to safeguard systems and data.”
Taylor advises members to take basic precautions such as keeping software updated, patching their home systems, and using unique passwords for each account. For those struggling to remember multiple passwords, he recommends password manager programs.
Reflecting on the challenges of his role, Taylor highlighted the unpredictability of cyber threats.
“It’s not if, it’s when,” said Taylor.
Dankner echoed this sentiment, emphasizing the need for preparedness. “A cyberattack could happen with a moment’s notice, so you practice, and you have a plan,” she said.
By prioritizing cybersecurity, PPEC and NineStar Connect are not only protecting their operations but also maintaining the trust of their members. Their proactive approaches — ranging from cloud migration and geo-locking to employee training and advanced threat detection — serve as a model for other cooperatives.
As the digital world continues to evolve, these cooperatives remain committed to adopting the latest security practices, investing in innovative technologies, and cultivating a culture of security awareness. With vigilance, education, and innovation, PPEC, NineStar Connect, and other cooperatives around the state and country are dedicated to doing what it takes to stay ahead of ever-changing cyber threats.
Four ways to keep cyber safe
Cyber scams are nothing new. Like the data from electric cooperatives, your information is also a target of online predators.
How can you reduce the chances of falling for the scams? Follow these easy and common-sense ways to protect yourself online from the United States Cybersecurity & Infrastructure Security Agency.
Turn on Multifactor Authentication
It goes by many names: Two-Factor Authentication, Multifactor Authentication, Two-Step Factor Authentication, MFA, or 2FA. They all mean the same thing: opting into an extra step when trusted websites and applications ask you to confirm you’re who you say you are.
Places like your bank, social media network, school, or workplace can verify it’s you by asking for two forms of information such as:
- A PIN number or your sister’s middle name
- An authentication application or a confirmation text on your phone
- A fingerprint or face ID
If you see prompts for multifactor authentication, opt in.
Update your software
Bad actors will exploit system flaws. To protect yourself from possible security issues, update the operating system on your mobile phones, tablets, and laptops and turn on automatic updates for the future.
Think before you click
Have you ever seen a link that looks a little off? It looks like something you’ve seen before, but it says you must change or enter a password or ask you to verify personal information.
It’s likely a phishing scheme: a link or webpage that looks legitimate, but it’s a trick designed by criminals to obtain your sensitive information. If it’s a link you don’t recognize, trust your instincts and don’t click it.
Use strong passwords
Did you know the most common password is “password”? Followed by “123456”? Using your child’s name with their birthday isn’t much better. Picking an easy password is like locking your door but hanging the key on the doorknob.
To create a stronger password, make sure it’s:
- Long — at least 16 characters
- Unique — never used anywhere else
- Randomly generated — usually by a computer or password manager.
Don’t recycle the same password across all your apps and websites. You can use a password manager to store all your passwords, so you don’t have to remember them all. Make sure to secure your password manager account with MFA.
For more information, visit cisa.gov.
Multifactor Authentication: Ways to verify it’s you
- Something you know — such as a PIN number or your sister’s middle name
- Something you have — such as an authentication application or a confirmation text on your phone
- Something you are — such as a fingerprint or face ID
