The food and beverage industry is as susceptible to cybersecurity threats and attacks as any other industry. The need to secure corporate private networks and intellectual property is at an all-time high, as is the need to protect the food supply.
According to Trustwave’s 2013 Global Security Report, 24 percent of all reported data breaches occurred in the food and beverage industry, second only to retail. With one attack, retailer Target lost around 40 million credit and debit card numbers, resulting in a drop in consumer confidence and a loss of trust. Similarly, the company that manages a large hospitality chain found that a cyberattack had compromised payment information at 14 of its restaurants and bars across the U.S.
Interconnectivity among franchises poses a whole other area of cyberthreat. A breach at one restaurant chain between 2008 and 2011, for example, led to the stolen card data of more than 80,000 customers and was used to make millions in unauthorized purchases. Shockingly, 70 percent of food and beverage companies that are hacked go out of business within a year of an attack.
But the risk is not just financial. Agroterrorism, or the “intentional contamination of the food supply with a goal of terrorizing the population and causing harm,” is an increasing risk. Every year, more than two million people die from food-related illnesses and more than 1.3 billion tons of food is wasted due to spoilage. Food irradiation (sometimes called electronic pasteurization), which is permitted in over 50 countries, is known as a way to help preserve food, but is not without its risks. If hackers gain access to a food supply company’s network, they could have the power to introduce dangerous amounts of chemicals to the food being treated. Programmable logic controllers, or PLCs, which are used to control processes in many settings like energy plants, water treatment plants, and other industries, are “designed to blindly obey all commands, regardless of what impact they might have.” All a hacker would need to do to cause a major catastrophe is to hack into these systems, and from there they could cause an explosion at a chemical facility or poison a food supply. Even the ability to remotely shut down refrigeration systems can be detrimental to food safety. Failing to introduce a comprehensive cybersecurity program that encompasses food quality and safety guidelines can lead to many illnesses and even fatalities.
What constitutes cybersecurity? Many companies believe perimeter point solutions, such as firewalls and antivirus software, are all it takes to become cybersecure. ANX Corp. identified eight major security gaps that affect food and beverage companies: outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, flawed security policies, negligence, and poor change control procedures. All of these security gaps can be linked to a lack of security best practices. It’s not unusual for a company to believe it is safe, especially if it can’t see that it’s at risk. Trustwave found that of the number of organizations who were victims of a breach, only 16 percent were able to detect it themselves. The remaining 84 percent relied on outside companies to report the information.
Cybersecurity is much more than a point solution—it is a comprehensive plan that complies with company objectives, corporate requirements, and/or federal and state government regulations. Once you have identified your cybersecurity needs, you can start to address cybersecurity technical requirements. This is why simply using point solutions can provide a false sense of security, since they are typically deployed quickly to address a perceived need. This is where the trouble lies. A good cybersecurity plan begins with a risk analysis to determine the current state of security and what you need to do to improve it.