Food and drink manufacturers: Is your business low-hanging fruit for cybercriminals?

Written by Sue Newton, GB Food & Drink Practice Leader, WTW

Food and drink manufacturers are under increasing pressure to modernise their cybersecurity. Attacks such as last year’s targeting of the world’s biggest meat processor, which saw it pay a multi-million-dollar ransom after a cyber-attack shut down operations, have prompted many food and drink manufacturers to address their approach to cybersecurity.

In common with other manufacturers, food and drink operators may well be playing catch-up on cyber, perhaps one of the reasons why recent research indicated manufacturing companies are the most likely targets of these types of attack.

Why might food and drink manufacturers be falling behind on cyber security?

Unlike other sectors long galvanised into cybersecurity action by regulation, such as financial services, or the high volumes of personal information they handle, such as online retail, food and drink manufacturers have not been led by the same imperatives.

This in turn has led to comparatively lower capital investments in cybersecurity in some businesses. Historically, this was justified by the lower probability of being targeted and under the assumption their businesses lacked the data most prized by attackers. But with food and drink manufacturing technology changing, and with an increasing convergence of the Information (IT) and Operational Technology (OT) environments, cybercriminals too have changed their methods of attack to include ransomware and extortion techniques.

Previously, the production line (OT) would have been largely independent from the IT environment, which would have meant that even if there was malicious activity in IT, production could continue. Paying attention to the growing convergence and integration of IT and production environments, food and drink manufacturers are often perceived to be less mature in establishing and maintaining the required security controls between both operating spaces – potentially providing a perfect opportunity for attackers to target businesses considered ‘low hanging fruit’ when compared to those earlier industry examples.

Operational performance prioritised over security

With increasing innovations in technology, including use of automation, the harnessing of AI and the deployment of Internet of Things devices now common place in the food and drink sector, there must be a heightened emphasis on cyber security, a slight step change for an industry whose operations more traditionally focused on performance and safety. In some cases, these new technologies and operating environments are being implemented, operated and managed not necessarily by cybersecurity experts, but by manufacturing specialists or an IT function that doesn’t specifically own cybersecurity within the business.

These scenarios create both a system environment with a large attack surface and significant vulnerabilities, so perhaps it’s little wonder food and drink manufacturers may find themselves identified as potential soft targets for cyber-attacks.

How are underwriters’ view of food and drink manufacturers’ cyber risk changing?

While once manufacturers may have been perceived by underwriters as having a lower risk profile than purchasers in sectors such as finance and retail, this is increasingly less likely to be the case. Insurable food and drink operations may find they struggle to secure cyber cover, particularly when compared with peers with more advanced more advanced approaches to cybersecurity.

These same peers are also likely to represent a more compelling proposition to potential partners along the supply chain. Demonstrably effective cybersecurity, including the ability to present your cyber risk as insurable, helps show partners you’re less likely to be a weak link in the chain.

What steps can food and drink companies take on cyber

There are cybersecurity steps food and drink manufacturers can take without feeling overwhelmed or concerned at the prospect of prohibitive investment.

Thinking about this in broad stages can be helpful, with the first step being to identify your mission-critical data and systems. What are the systems and machines you need to protect above all others to keep operations on-track to meet existing customer demand?

Next, assess the strength or otherwise of the security around these prized assets before prioritising what steps you might take to reduce their vulnerability to attack. This could lead to moves such as segregating data depositories, tighter user access controls and broader cybersecurity measures and controls layered throughout your computer network.

Upping your resilience to cyber-attacks will also involve creating plans to constantly tests the efficacy of your controls. This will likely demand funding and support by people with the right expertise but also at the appropriate seniority to ensure cybersecurity is owned at a strategic level.

If you don’t have all the answers, either for an underwriter or a potential partner seeking assurances regarding on your cybersecurity, then you should consider working with internal or external experts to understand what you don’t know and start building a full picture of your vulnerabilities and how to effectively reduce and manage them.

In short, it’s better to invest in the right people with the relevant skills and to spend out on a robust cyber strategy that also identifies your risk potential, rather than pay a ransom to the wrong kind of people. It will certainly save you in the long run.


You may also like...