LRQA podcast: Is the food industry prepared for cyber risk?

Welcome back to The Future in Focus podcast by LRQA or if you’re new here, thank you.

In this episode, presenter Holly Plackett is joined by Stuart Wright, Global Head of Governance, Risk and Compliance at Nettitude an LRQA business and returning is guest Kimberly Coffin, Global Technical Director of Supply Chain at LRQA. In this episode, we asked Stuart and Kimberly why cybercrime should be a well-considered factor in any food defence programme and discussed the potential implications on food safety in the case of cyberattack.

Thanks for joining us again Kimberly and Stuart this is your first time appearing on the podcast, so thanks very much for joining. Stuart, could I start by asking you to briefly introduce yourself for the audience?

Yes sure, thanks Holly. Hi everyone, my name is Stuart Wright, thanks for asking me to join today. I am the Head of Governance, Risk and Compliance (GRC) at Nettitude.

So my role here is to oversee Nettitudes’ GRC team, so my team provide consultancy services to our clients, typically we’re covering areas in cybersecurity and compliance domains so that’s areas like cybersecurity maturity, PCIDSS so that’s consultancy around and auditing around credit card security.

We also work with our clients in areas like ISO 27001, risk management and security awareness training for end user employees and teaches them about security good practices. I’ve spent around 10 years working in consultancy particularly around cybersecurity and more generally I’ve spent 20 years working across the IT industry in a number of different technical roles.

So thanks again for inviting me along today and I look forward to hopefully sharing some of my knowledge and experience with you.

Great thanks, I’ll jump straight into the questions now.

So cybercrime has been a long standing risk for businesses across all sectors, Stuart could you shed some light on the type of attacks we are seeing, who these attacks are targeting and the damage they can have on businesses?

Sure, so cybercrime is a problem across all industries really. So from the perspective of the criminal, the attacker, and they’re typically not necessarily targeting particular organisations. So more so they’re interested in the low hanging fruit, so the softer targets that could perhaps be easier, less difficult to attack in the first place.

So they’re not necessarily concerned about sectors, it can be fairly indiscriminate, fairly opportunistic. We see criminals taking advantage of fairly fundamental flaws so that’s things like out of date systems, out of date applications, things not configured correctly, these are essentially flaws where you would say they are easy to predict and controls are relatively easy to put in place to address those, it’s the cyber equivalent of unlocked doors, unlocked windows and not being closed properly, things that are quite easy to attack.

So as I say they’ll be fairly opportunistic. Attackers often aren’t the nation state level that perhaps we think about although that, of course that does happen too but in terms of the initial compromise for an organisation this may well be someone who only has a fairly basic skill set and they’re going to exploit those common vulnerabilities.

We’re generally thinking about criminals who really their only goal is to extract money from you so its not maybe like it was ten years ago when it was about QDOS and causing disruption and showing skills this more about how can the criminal obtain cash, extract cash from you.

They’re going to come from different angles so you know there are going to be attacks that are about things like trade secrets and patents and so on, but thinking about the ones within the professional world that we most commonly see they are often about ways of getting money. So these are things we’ll have heard of like ransomware, like deploying ransomware, locking an organisation out of their files and their systems and then demanding some money to provide that access back and to restore that access. And really the impacts, we talked about the impact there is around the loss of access to your systems that you need to run your business.

So you mentioned the damage, the impact that these events can have and we might see that in many different ways. There’s the financial impact so you’ve got the loss of revenue, whatever the incident type if your systems are down then you may well be losing revenue, that’s quite a direct cost of course but there are going to be indirect costs as well. So that’s things like the effort that goes into recovery, costs for engaging external experts and consultants and people with specialist skills around things like forensics, disaster recovery, getting the systems back online and so on.

You’ve then got things like the cost and resource drains on your own teams so that might be rebuilding your IT systems and your networks and infrastructure. Its really not an exaggeration to say that sometimes the best thing to do after an attack can be to rebuild many of your systems from scratch so that’s going to cost you time, its going to cost you money and it’s going to keep your teams busy which means they’re not doing their day job, the things that you’re relying on to keep the business operating.

And you’ve then got I guess from an impact perspective concerns around reputation, you’ve got things like your consumer confidence and investor confidence as well and the other important thing that often gets peoples attention when thinking about the impact of cyber breaches is regulatory fines, its fines from the regulators and that’s particularly a concern if there’s any kind of personal data involved which may not be the case when we’re talking about environments being unavailable. I’ve focused I guess on relatively untargeted attacks in answer to this question, as I say there’s opportunistic attacks where the aim of the criminal is just to extract cash.

Another angle and perhaps one that’s as bad if not worse and more serious is attacks that can impact on confidentiality of data, so that’s exfiltrating information, maybe publishing information online and then there’s the data itself, the information itself and making changes to it. We rely on data, we rely on the data being accurate, if anything impacts on that data that means that we can’t trust the data, we can’t trust it’s accurate. The impact of those kind of attacks perhaps isn’t as obvious, it isn’t as immediate but the consequences can be in many ways worse than the information’s simply not being there at all because if we can’t rely on the accuracy of data then we may make bad decisions that could have impacts elsewhere in the business.

Great, thanks Stuart. So we know that these attacks are happening across the globe at varying levels of severity, Kimberly in your opinion do you think the food industry in general is as protected against cyberthreats as much as they ought to be?

Cyberthreats and the potential impact to safe food production and ultimately consumers are not a common topic of conversation amongst food safety professionals, so based on that fact I would have to say no.

And why is it so important that businesses within the food sector have a robust food defence programme that includes cybercrime?

A great question but in just piggy backing off a number of the things that Stuart has already talked about with regards to the types of attacks and the impact on businesses, you know given that the food sector is increasingly focused on the use of tech to address challenges such as the talent gap that all are experiencing as well as you know really looking to gain operational efficiencies in order to keep their cost of production low. As well as going kind of really going digital if you will to deliver smarter food safety through the use of technology and digital solutions to improve risk management, controls such as real-time monitoring of our processes, our critical processes, collaborating with the suppliers to actually make a more smooth and open, and transparent means of communicating needs and expectations about the materials and/or the products that our suppliers might be manufacturing. As well as you know more holistically just really transparency across, enabling transparency across the supply chain both up and down stream for our manufacturing processes.

As food safety professionals we need to recognise that these changes and how we collect, manage and share critical information about products and our processes and another layer of risk, this additional threat’s really associated each and every time we actually open up another door into our operation. And as such these need to be considered to ensure that we’re prepared to respond and when I think about kind of that response and being prepared, there’s no better way for us to actually do that is and through our food defence programmes.

You know GFSI’s benchmark standards provide a framework to ensure that we do this so its important that those food defence and internet management programmes that those standards require really feature broadly in what we’re doing and that we’re really thinking about it in the context of all of the layers of risk to our products and processes to ensure that we’re accessing and evaluating the risk impact on our business as well as on our products and on the consumer. And cybercrime threats are one layer of risk that I think that is sorely lacking in attention through food defence programmes holistically.

Great, thanks Kimberly. LRQA recently hosted a webinar in which you both discussed a very similar topic to what we’re talking about today. In that webinar you asked the audience some poll questions and if it’s all right I’d like to spend a bit of time looking at these questions and the audiences responses.

So the first question we asked was about the use of technology and how companies are expanding their use of technology to more effectively manage operational risk. 83% of respondents indicated that they are employing one or more of the technologies listed in their business, and 27% of respondents are using technology to manage risks or to collaborate with suppliers.

Can we talk about this and what this means in terms of cyber risks Stuart?

One of the interesting points that came up and Kimberly just touched on this, but Kimberly also helped me understand a bit more about this during the last webinar as well in the context of food safety is that increasing use of real-time controls and monitoring within the industry, so I understand that to be the use of things like sensors, cameras and other devices that are capturing data and then using that data to make decisions and to control other systems or to provide some kind of ongoing monitoring around the environment. These devices we often refer to them as internet of things or IOT devices and really these devices that are designed to do a particular function so that might be like for example a security camera or maybe a sensor. The user, so the business that owns that device, that installs that device, they will often have no control or very little control over how it actually works so they might not be able to determine how its configured or how its secured or updated and those kind of things that are really important if we’re trying to secure our systems.

Essentially, we’re talking about sealed or self-contained proprietary systems that we install on to our networks but they are effectively completely beyond our control and all we really do is we provide them with power and we provide them with some kind of network connectivity so that they can connect out to the vendors that perhaps manage them for us. There are a number of layered risks around these devices that we need to be thinking about, so there’s the reliance on the vendor to keep it up to date in the first place, to keep that device secure. Then you need to think about is their business sustainable, is the vendor sustainable, will they be around in four or five years, will they still be updating that product, will they still be supporting it and giving us the security patches we need.

And then I think about technical concerns, so that’s things like are we giving those vendors remote access to those devices, do they manage them remotely, do they monitor them remotely and if they do which is often the case, are those vendors themselves secure, is there the possibility that some kind of incident within those vendors can then impact on you as the end user of that device.

The other thing we need to think about as well with vendors having access to our networks is could that vendor be a supply chain threat, are they a steppingstone that somebody could use to attack our environment. In other words could somebody accidentally or deliberately use that vendor and then have some kind of impact on our network and our environment.

So I guess in terms of managing cyber risks it’s about having those checks in place, its having the right checks in place around the technologies we use. So you need to start that well before you actually procure these devices, systems, and applications. Part of your risk management needs to be due diligence and looking at those vendors, looking at their technologies and asking the right questions before you connect them not after you connect them. And you need to ensure that those vendors have the right controls in place and you need to think about the future as well and think about if we’re introducing real-time monitoring systems into our environment and other types of technology, we’re trying to manage the operational risk going forwards not just at this point in time, can we avoid vulnerabilities in the future and keep them up to date and secure.

The next question we asked the audience was who in their organisation is responsible for cyber risk management across their supply chain and 61% of respondents indicated that IT or Security teams are responsible for cyber risk management.

Kimberly, does this approach elevate the risk impact to food safety?

It is easy to devolve responsibility to IT or Systems when we think about kind of cyberattacks and cybercrime, you know after all they are the techies. But as food safety professionals we need to understand that also means that their focus is on mitigating risk related to system availability or system management or how the systems function. And they’re very much less likely to understand the risk impact of a cyberattack on confidential information or IP, our labels, our recipes as well as I mean accuracy of the information that’s being captured, you know that information that we use as part of our due diligence defence with regards to the safety of food.

When we think about kind of those two key areas of information and information security, you know they are directly related to product risk impact, you know they’re the things that are going to make a difference with regards to the safety of the food that we produce. That’s where we as food safety professionals come in, we are best placed in our organisations to assess and manage the risks to our products and processes and ultimately our consumers, so by taking an active role its really essential. We’re the ones with the responsibility with regards to minimising the risk to food safety and as such we need to be really clear and really understand how those systems work, understand what the true impact would be of a cyber breach and we need to be asking questions and working in collaboration with our IT and Systems teams within our business.

Thanks Kimberly. Finally we asked the audience how frequently their company tests their food defence programme specifically for cyber incident impact. Now I found this response to be quite startling, 67% of respondents said that they do not test their incident response or food defence programmes specifically for cyber.

What do we think about this omission?

What this tells me is that there’s only a minority of businesses, food businesses that is, that have considered the risk impact to products from cyberattacks. Really what that does then is it really opens up those businesses one to have really a lack of ability to actually identify an attack if it has actually occurred, and even more importantly really very little preparedness through testing of their preparedness in the event that an attack has occurred.

We talk about from a food safety management perspective the importance to actually undertake ongoing evaluation of the risks to our business and so from my perspective of a food defence programme or an incident response programme that hasn’t considered a potential area of risk allows us for a most significantly elevated risk to our business and our ability to actually take the right action to actually protect the safe production of food as well as our brand and the consumer.

Clearly the use of technology is increasing, the actual poll questions indicated that we’re still taking some very traditional thinking within the food sector about whose responsibility it is to ensure that we’re managing the risk from cyber breaches through IT and Systems people and really from a food safety professional perspective we need to be thinking more closely about how we use the tools that we have and ensuring that we are well aware of all layers of risk to the production of safe food.

And Stuart, can I ask you what would be the best practice approach here?

Sure and I think picking up on something Kimberly just talked about and I’m not saying here that our IT teams or IT folk aren’t focused on security but without defining your requirements for how we manage and protect things how can we expect the appropriate controls to be in place. The IT folk are there to manage your systems, to make sure they’re running, to make sure they’re available when we need them.

But we shouldn’t assume that those teams automatically know about the data or the criticality of those systems and the same applies really here in terms of testing response plans. I was fairly surprised at that statistic you know more generally we see our clients are perhaps more aware that they need to test plans. I see many organisations now that do have cyber related plans compared to maybe five or six years ago where the focus of plans was predominantly on technology, how to get networks online, how do we recover our email or our files.

But we know those plans rarely get followed to the letter and that they’re rarely comprehensive the first time you actually need to use them. In fact I’d say that in a cyber and IT context there will almost certainly be some fairly significant emissions from the first draft of any kind of incident response plan.

Organisations, they need to be testing those response plans and they need to be testing them regularly and they need to be thinking about technology changing all the time, so are our business processes, so are the things we rely on particularly with third parties and they are more and more something we need to think about when it comes to testing incident response plans as well.

So we would, we encourage our clients to have incident response playbooks and we ask for them to common incident types, so that’s how would we respond if this happens and this might be a ransomware attack or it might be one of our systems is taken offline by somebody malicious, or it could be some of our data has been leaked to the internet. These playbooks and the scenarios they cover what we suggest and what we recommend people do is they involve people outside of just IT and Security because people in the wider business need to be involved in how we would respond if this incident actually happened.

And it’s also really important to learn, so learn from those tests, learn from real incidents as well and learn from near misses, and when you do those tests make sure that those tests are real, they’re not paper exercises where you sit and read a policy and sign it off for the next year right, you need to conduct tabletop exercises, you need to simulate a real incident. Then you play out that scenario as though it were real and you see how would we cope, would the right people do the right things at the right time and where that goes wrong, where you find gaps, you can then learn from that and tweak and adjust those plans.

I really would highly recommend that I think was 60% something of the people that said they aren’t including cyber in their testing approach, that they do begin to do so, that they begin to work on those plans and begin to see where some of the gaps are.

Thanks for listening to The Future in Focus podcast. Please visit our home page on Spotify to listen to more episodes and stay up to date with new releases, and to find out more about LRQA services please visit www.lrqa.com.