By Faith Beaty
Food safety, information and cyber security may not seem to be related topics, nevertheless cyber threats are risks within the value chain.
Information and cyber security are trending topics for concern on corporate agendas, becoming a core governance issue for everyone from boards to management. Food and beverage companies are seen as prime targets, with some notable cases including food companies have the worlds’ largest meat producer JBS which underwent a cyberattack.
Outside of the food industry, cyber-attacks are reported frequently and those that hit the headlines invariably involve corporate giants. Of course, the larger players in the food sector, companies such as the Unilever the Kraft and McDonald’s – all have protective systems in place such as reliable security information management systems. Smaller companies who are suppliers may believe this won’t affect them, yet they would be mistaken as a 2022 statistic notes that 99% of cyber-attack claims were from small to medium enterprises.
Increasing risks
Giovanni Francescutti, ICT Director in Business Assurance, DNV Italy points out that “the world is more interconnected than ever. Workers connect everywhere and a multi-cloud reality is emerging in our software-defined world. Increased digitalization, connectivity and mobility is bringing new risks. More to the point, attacks are becoming more automated and sophisticated, increasing the risk of breaches ranging from data breaches, ransomware, vulnerable clouds, phishing and smartphones for example.”
Giovanni highlights that the last two years have seen an increasing reliance on digitization saying, “what we saw with the pandemic, with everyone working from home, new technologies are evolving fast; there’s hyper connectivity. And with this it is not just the big companies that will be targeted, small businesses will be increasingly targeted and impacted substantially. ”
Stefano Crea, Global Market & Industry Director in DNV Business Assurance, agrees and adds, “Food production is highly automated and data driven. In addition, the food industry, like other industries, is getting highly interconnected. This is good because it has a positive impact on yields, output, and production efficiency. Crea points out there’s a risk of increasing vulnerability to data breaches and ransomware attacks. And these developments come at a time when companies are trying to stay competitive and sustainable in the marketplace.
Proactive steps to counter threats
Both Crea and Francescutti agree that protecting systems from cyber-attacks involve establishing procedures and educating employees to understand how threats occur and what can be done to prevent them. A first step may be a certified management system to help companies assess risks as well as manage and improve performance.
ISO/IEC 27001 is now the most recognized international standard for information security management systems. It details requirements for establishing, implementing, maintaining, monitoring and improving such a system and is designed to be compatible and harmonized with other recognized management system standards.
There is also a new version of ISO / IEC 27002 which was published this year. The changes to this guideline standard impact the certifiable standard ISO / IEC 27001. And one of the main benefits of the new version for certified companies is that it addresses new controls to ensure new scenarios and risks are not missed.
“So, there are guidelines and certification schemes available, and they provide a very good framework for companies to carry out operations in a safe and secure way,” says Crea, adding that “they also keep systems processes up to date. This is important because they may become outdated quickly because cyber threats are evolving fast, hackers are opportunistic and are looking for new ways to get through the back door.”
Ring fencing vulnerable systems
Cyber threats are very real today. IT systems and teams must minimise risks to protect companies, which may involve ring fencing vulnerable systems. Ring fencing is a form of data protection where fences are built around online applications to reduce security risks.
In most organizations, the network is not designed to protect and threats can come from several sources. Access to systems by engineers may involve updating equipment. It is essential it is kept clear of viruses and other malware.
Crea emphasises organizations also need to understand the importance of the human behavioural element. “A company can have the most secure physical systems, but sometime hackers use the vulnerability of the employee, to hook them in. And as we all know, any system or chain is only as strong as its weakest link. And normally the weakest link is the human behaviours and that is why it’s important to have also a comprehensive, robust management system.”
According to Francesccutti the most common methods for cyber-attacks is through emails (either spam or directed attacks). Spam is often harmless, but some will have links that are damaging and open system vulnerabilities. Consider a system that identifies spam and blocks addresses and domains. No one system can identify and block them all, systems are not fool proof. Therefore the employee is the ultimate defence to these types of threats.
Act now
Crea believes that the earlier an organization takes action to counter cyber threats the better equipped it will be to avoid problems down the line. “Cyber-attacks have already impacted the finance, banking, energy and logistics sectors to name a few, and there’s a high risk that the second round of priority areas like the food industry will be impacted more going forward. Disruption of the food industry could have a huge domino effect and we strongly recommend food companies and their suppliers to develop robust and reliable systems to become less vulnerable to cyber-attacks,” he concludes.
About the Author:
Faith Beaty is part of the global communication leadership team for DNV, a global independent certification, assurance and risk management provider, operating in more than 100 countries. She currently serves as the Director of Marketing and Communications, Americas for the Business Assurance Division. Mrs. Beaty has top-level experience in business operations, having held roles ranging from director of sales and marketing and director of business development to chief executive officer for DNV Business Assurance USA Inc.