The food and beverage industries can grasp the same kinds of opportunities through technological innovation as most sectors, as automation, remote access control and data collection are increasingly seen as must-have advantages that help drive down costs and keep ahead of the competition. Yet the push to modernisation through system connectivity, combined with the drive to adapt to post-pandemic work patterns, such as remote working, is rapidly increasing the surface vulnerability of companies – and upping the cyber threat.
Unlike banking or web-hosting that gets robbed and shut down, the food and beverage industries hold an additional risk that compromised systems will not operate as intended, during and after an incident. Allergens could be introduced across product lines. Internal temperature gauges for pre-cooked goods and fermentation tanks may report erroneous readings allowing dangerous products to reach the public.
Despite these risks, a UK government report found last year that only 62% of those surveyed in the food and hospitality sector treat cybersecurity as a business priority, The report also noted that, in 2021, four in ten businesses acknowledged they had suffered a cybersecurity breach or outright attack within the last year.
The food and beverage industries have become lucrative targets for threat actors. Both sectors are critical components of economies and, for many nations, they now represent a real national security threat if compromised. Increasing consolidation of companies and manufacturing processes makes these sectors ripe targets.
Malcolm Murphy, director of engineering at UK-headquartered IT security group Mimecast, says: “Cyberattacks could also impact the supply chain. Suffering an IT breach in this sector causes product delays and can lead to downtime which then impacts volume production. With the pressure on the global supply chain following the decline and recovery of the pandemic, this is particularly sensitive now. Another issue this sector could face is theft of proprietary information, such as product formula or ingredients.”
In 2021, Brazil-based meat processing group JBS was subject to a highly sophisticated cyberattack that knocked out slaughterhouses in the US, Canada and Australia. This resulted in knock-on effects in the meat supply chain, in particular pork and poultry, as JBS accounts for roughly one-fifth of the global meat supply.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
JBS didn’t get operational again due to some fancy cyber sweeper programme or a skilful takeback of its operational technology systems by its 850 employed IT professionals, or as a result of the US$200m the company spends on IT annually. It fixed the problem by paying the hackers US$11m in ransom, as it felt this was the quickest way to reduce the risk to its customers.
“The problem is working out what has happened and when can be very challenging, and whether to pay the ransom is not a decision to be taken lightly,” says Martin Riley, director of managed security services at UK cybersecurity consultants Bridewell. “There are ethical considerations such as ‘are we funding organised crime?’ Plus, ultimately, if you pay the ransom once, then you become an attractive and lucrative target for future attacks, as seen with attacks on computer giant Acer and Japanese medical tech group Olympus.
“Businesses are now facing more financially motivated and skilled attackers who can adjust their techniques to achieve a breach. Every company is a target and with both business and revenue on the line, it is critical that companies implement the necessary prevention, detection, and response capabilities to either prevent the intrusion from occurring or to evict the attackers before they can cause any damage.”
Covid-19 and the cyber threat
The pandemic has caused a seemingly never-ending list of issues for the food and beverage industries, ranging from supply chain difficulties to worker shortages, both of which increase the threat of cyberattacks.
A constricted supply chain means missed shipments or delays that can be the final nail in the coffin for some businesses, thus making a ransom payout a favourable option.
High worker turnover is increasing the attack surface for hackers as they can target new and untrained employees, often with Covid-19 or cybersafety socially-engineered emails that can catch people off guard with their faux authenticity.
Less talked about is the changing nature of IT systems in recent years, which has been driven by automation, data, remote working and increased online consumer engagement.
Co-founder Maya Harruna of No Guilt Bakes, a predominantly online food sales platform, told Just Drinks: “The pandemic led to us experiencing a significant spike in the number of customers and we needed to upgrade from a basic excel sheet to systems like Shipstation and Mintsoft in order to gain better control of the business.
“We have noticed that as we have grown there is definitely a need for our operational systems and IT systems to become increasingly connected to enable us to better cope with the demands of our growth. We also depend on systems to make sure that we comply with legal requirements that require us to display accurate nutritional information and allergies. This is especially important following the introduction of Natasha’s Law.” That law stipulates companies have to include clear ingredients and allergen information on packaging.
The cyber problems with legacy systems
A major issue is the prevalence of legacy systems that were previously air-gapped, as in not connected to any online systems. Older systems are just simply not up-to-date and there is a long list of resources online that catalogue vulnerabilities in these systems. This is done by security firms to help companies mitigate risks and patch systems, but threat actors take note of these vulnerabilities, too.
Older operational technology may simply have no fixes available and recently connected online systems will not have the adequate security patches in place. Attackers are more than aware of this and are actively seeking out these older systems as points of entry into a company’s wider cyberinfrastructure. No matter the size of the operation, it’s important for companies to understand the risk of connecting systems in times of expansion and greater worker remote control.
“The primary impact of Covid-19 across the digital threat landscape is that many organisations are having to rapidly deliver digital transformation to enable remote working capabilities,” says Bridewell CEO Scott Nicholson. “This adaptation brings risks around misconfiguration of remote access technologies. Organisations that have had to expedite digital transformation – moving from an office-based workforce to home working – now face a completely different set of security risks than before the pandemic. These risks arise via mobile working and would not have been present prior to Covid.”
Food and beverage companies that are undertaking any kind of IT work need to understand the system vulnerabilities of legacy systems and mitigate the risks appropriately. However, at the end of the day, the biggest boon to threat actors is and will remain human error.
Most business shutdowns don’t come from a Matrix-esque system takeover via code manipulation but rather begin with a high-level worker opening a link in an email. Always remember that phishing and social engineering attacks are a constant reality and all the best security in the world is worthless if an employee hands out the keys.