Risk Management Series 4: Information Security

Digitization is transforming the food industry.

The rewards are obvious – technological leaps in the design, development, production, sale and distribution of food products globally. But with digital transformation we are seeing an explosion in the volume of data – and a corresponding increase in information security risks.

One threat above all others is setting alarm bells ringing for food industry leaders: fear of increased exposure to cyberattack. It is not hard to see why.

Serious recent cases include a ransomware attack on a global fruit and vegetable producer; a cybersecurity breach at a Canada-based meat processor; and a cyberattack on a Germany-based frozen-food supplier, to list just a few of those that have been reported publicly.

Many other breaches are never disclosed, with cybersecurity specialist Malwarebytes estimating that cyberattacks against the food and agriculture sector increased by over 600% in 2020 alone.

In the US, the FBI has repeatedly warned the food and agriculture sector about the risk of ransomware attacks that could result in the theft of proprietary information, as well as operational disruption leading to financial losses and even food shortages.

“Multiple agricultural cooperatives have been impacted by a variety of ransomware variants.”

The FBI raised a particular concern about the risk of attacks during the critical planting and harvesting seasons, when agricultural cooperatives may be more vulnerable to ransom demands.

“The director of a major food business recently told me the main issue they’re facing just now is not food safety risk – it’s cybersecurity!”

A broader worry is that some food businesses may be holding back from implementing the latest digital solutions in case they compromise the security of their own and their customers’ data or the value of their intellectual property – even though such investment is vital for them to compete in global markets.

Organizations feel seriously challenged by the scale of today’s information security threats.

“There is just so much data out there, not just generated by food businesses themselves, but also from their supply chains, industry bodies, local authorities, government surveillance and other sources. The risk director told me: ‘Our first challenge is how to select the relevant data and use it effectively. But an equally critical one is how we protect it’.”

“There’s no going back to a world before digital information. Food businesses depend on data that they generate internally, receive externally, and store for the short or long term. With new information generated continually, the key to cybersecurity is to stay in control of data storage, access security and management processes.”

There are constructive ways forward, including more thorough horizon scanning and adoption of key internationally recognized standards such as ISO/IEC 27001 and SOC 2 (common in North America).

By helping food businesses manage and protect their information assets, adopting the standard will inspire trust in them from consumers and help build organizational resilience. The latest version, ISO/IEC 27001:2022 has been updated to explicitly include cybersecurity and privacy protection, reflecting their integral role in effective modern management of information security.

“At NSF, we maintain certification to ISO/IEC 27001 to demonstrate our commitment to robust information security management. It guides us on new processes, improves employee training procedures, and eases legislative compliance.”

“There is a tendency for organizations to operate in silos, with their own information security initiatives, data sets, technologies and tools. We need to talk and get some data harmonization standards in place that everybody adheres to. With greater interoperability and sharing of data we can all gain a lot more visibility of risks and the power to act against them.”

“I talk to so many businesses who still use paper and spreadsheets to manage their complex information – and the risk of that is huge. But when looking for a digital solution, the data security question comes in. By looking for a solution that has robust information security, they’ll build trust that data is safe in their hands. A digital solution can help businesses to lower risks by streamlining compliance management – managing compliance requirements across multiple locations and regulatory frameworks. It could automate tracking and reporting of compliance activities, provide real-time visibility and performance metrics, and enable collaboration and communication between stakeholders.”

Wider, pan-industry collaboration is an important route to defusing information security threats – not to mention other food safety challenges.

Implementing a cloud-based, ISO 27001-compliant software solution, “has brought us up to date in an increasingly data-driven world. It is boosting our quality performance and underscores our commitment to food safety. It’s strengthening our supplier management and making us more resilient.”

• The more we embrace technology in the food and drink industry, the more we need to protect ourselves from inadvertent or deliberate harm.
• There are plenty of solutions and providers who can offer robust technical advice on protecting systems, data and people from harm – from disaster recovery plans to off-site data back-up. Using frameworks like ISO 27001 can offer assurance that all the right practices are in place – but equally as important is the training of anyone who has access to the system.
• Cybersecurity often isn’t about being threatened by career hackers – a business is just as likely to be compromised by a phishing attack or an employee being tailgated – so continued education and engagement is critical.
• With so many software solutions and providers out there, the most important consideration is finding – and working with – other businesses that you trust.

• Catherine François, Global Director, NSF Food Consulting
• Colin Rose, Director, NSF TraQtion® Software Solutions
• Philip Quinn, Senior Director of Quality Assurance, Papa Johns International