When it comes to cybersecurity, the food industry is facing more threats and risks than ever before, which is creating increased vulnerability in plant operations and the rest of the supply chain. Cyberattacks are focusing more and more on critical infrastructure, putting the food industry squarely in the crosshairs of cybercriminals.
Studies have shown that cybercriminals can penetrate 93% of company networks. One of the most serious threats is food tampering, with malware turning food itself into a weapon of terror. Cybercriminals can hack into food processing, transportation, and storage systems to spoil food and cause food poisoning and food shortages.
Ramping up protection costs both time and money, but making a preemptive investment in information security can save significant costs, considering that the median cost of a cyberattack increased from $10,000 to $18,000 in 2022, costing 40% of attack victims $25,000 or more.
Employees: Your First Line of Defense
The first and most crucial step in cybersecurity is employee training. When it comes to information breaches, two segments of a company can be impacted: the business and the operations. Impacts on the business could include leaking confidential client information, formulations, and recipes, among other data, while operations could include sensitive employee information.
As a company’s first line of defense, employees need to understand how important and integral their role is in data security. Phishing and malware are among the most popular forms of cyberattacks. By preying on individual employees, successful hackers can shut down production lines, reroute deliveries, and delay shipments.
Tools such as phishing tests can help gauge employee skills in “real-life” scenarios and help companies identify weaknesses across the organization. Employees who consistently fail phishing tests can be provided with additional training. Tests can also be coordinated on a recurring, random basis to keep employees alert and vigilant.
Food companies, especially those with plant operations, should also focus on physical security. Hackers will sometimes try their hand at breaching physical locations by “tailgating,” following an employee into a secured building without a badge. This type of attack incurs risks to data stored within the location and the products being manufactured. Just as with phishing simulations, it is important to educate employees about the risks of physical breaches, with reminders on how to prevent tailgating, lock computers, and safely store sensitive information.
Creating a Cybersecurity Toolkit
Building a strong culture of information security starts from the top down. Senior management must prioritize cybersecurity for employees to care about and understand its importance. Security professionals can work with senior leaders to identify the organization’s security starting point. If management makes information security a priority, that mentality trickles down to the entire organization.
This mentality can be communicated in training, team meetings, emails, and office posters. Some companies incentivize employees by providing free lunch or a day off for passing cybersecurity training and simulated tests.
Businesses can ramp up data security by implementing controls across the organization. Passwords should require a combination of upper and lowercase letters, numbers, and special characters, as well as frequent updating. In combination with strong passwords, multi-factor authentication (MFA) can secure data even further. This extra layer of protection can stop a hacker who has breached the system from advancing to further applications.
Companies should also evaluate their software and hardware to determine if upgrades are needed. Legacy infrastructure can hamper an organization’s efforts to increase cybersecurity, as it often cannot be updated to meet current security needs. Patching assets is another area where companies can focus their efforts; unpatched assets are a popular way for hackers to breach systems.
When Incidents Do Occur
It is best practice to have a contingency plan in place for worst-case scenarios, such as a data breach or malware that shuts down operations. An incident response plan can be created with specific details included, such as whom to contact depending on the scenario, what systems must be shut down to reduce the reach of the incident, and what tools should be used to contact employees and stakeholders. By putting an incident response plan in place, operators can minimize the potential damage to systems and data. Employees should be trained on the plan. This help to increase response speed and minimize panic and confusion during real-life situations. Incident response plans should be updated at least annually.
Seek Third-Party Support
From providing security training to setting up off-site servers, there are numerous third parties that can help businesses to improve and strengthen their information security efforts. NSF-ISR’s basic security assessment and ISO 27001 certification provide a security framework to help businesses better manage their data and information. ISO 27001 is a globally recognized certification that defines requirements for creating and maintaining a cybersecurity management system and provides a comprehensive set of controls.
No matter what mode of action businesses take first to strengthen their information security, it is most important to simply get started. Operations are only going to become more digital, so when it comes to areas within the food industry where safety, the supply chain and confidential information can be impacted, cybersecurity is imperative.