Unpacking cybersecurity issues in the food and beverage sector

By Christopher Petch

With digitization and systems integration becoming commonplace in the industry, cybersecurity is a threat that Canadian food and beverage companies must understand and address. From data theft to product tampering and operational disruptions, companies need to understand the full breadth of cybersecurity risks and take action to protect their data, products and operational processes.

The evolving cybersecurity threat

When food and beverage companies address cybersecurity, they typically focus on protecting systems containing sensitive data. But what many don’t understand is that professional hackers know indirect ways to breach secure systems — for example, by conducting targeted phishing scams aimed at senior executives. Many headline-grabbing cybersecurity incidents were a result of hackers infiltrating the systems of third party contractors or suppliers, such as point-of-sale software providers, and then accessing the high-profile “end goal” company through system linkages.

And some hackers today aren’t after sensitive information at all. Cyber-activists who may disagree with a company’s product might use hacking to attack a company’s reputation, disrupt its operations or maliciously modify automated processes. Such cyber-terrorism can be extremely damaging in the food and beverage industry, where tampering can increase food safety risks exponentially.

Whether cybersecurity breaches are focused on data or operations, they can lead to serious consequences for a company, such as severe legal or regulatory ramifications, particularly if human health has been jeopardized.

A holistic approach to managing cybersecurity

To protect against major cybersecurity threats, food and beverage companies should think holistically about cybersecurity rather than focusing solely on individual systems with high-value data. As a starting point, companies should consider the following key activities.

Design a risk-based cybersecurity strategy that’s aligned with business objectives and that prioritizes the protection of your most important information and operational assets. After all, cybersecurity doesn’t just apply to IT and other head office software — it also includes the technology and data that run manufacturing, processing and other operational equipment. Companies should regularly review and update this cybersecurity “defence in depth” strategy to account for new and evolving risks.

Develop and implement the appropriate cybersecurity infrastructure to protect your organization. You’ll need to work with software vendors and service providers to make sure your environment is protected, monitored and ready to respond to breaches. Keep in mind that if you have network connections with your supply chain, they’re also a potential point of entry by hackers to your organization.

Understand potential exposure by engaging “white hat” cybersecurity consultants to hack your organization. The resulting analysis can be very effective for getting board members and executives to understand the extent of cybersecurity risks, while also identifying cybersecurity issues that should be addressed.

Develop an incident response plan that identifies exactly how — and when — your organization will respond to an issue. This plan should include key roles and responsibilities, stakeholder engagement and how to address regulatory or safety concerns. It should also identify the point at which an incident turns into a crisis. Organizations usually want to inform their customers of an incident before they see it in the media.

Consider purchasing cybersecurity-specific insurance to protect against the ramifications of any major breaches.

Be prepared, be ready

Managing cybersecurity is about more than protecting your company’s most valuable data. It’s also about protectingbusiness operations from being disruptedby a cyber attack. By understanding the risks and developing a strong cybersecurity strategy, food and beverage companies can better protect themselves and be ready for any cybersecurity issues they might face.

Christopher Petch is a director in PwC’s Cybersecurity and Privacy practice. Contact him at christopher.petch@pwc.com. To learn more about negotiating the cybersecurity and privacy landscape, visit www.pwc.com/gsiss for the results of PwC’s Global State of Information Security Survey.