Although the food and beverage industry isn’t the stereotypical cyberattack target, every business with an internet connection has a bullseye on its back. Imagine food rotting on production lines, grocery freezers shutting down, delivery trucks being re-routed, recipes altered, HR records flowing to a teenager’s laptop and payments landing in spoofed accounts.
Who would do that? A hobbyist hacker. A disgruntled employee. A competitor. A professional cyber thief. Anyone.
By all accounts, cyberattacks on business are on the rise. In fact, four in five security professionals say their enterprise is likely or very likely to experience a cyberattack this year, according to a study published by ISACA, Schaumburg, Ill. And, half of respondents say their organization has already experienced an increase in attacks over the previous 12 months.
But, attack frequency doesn’t always drive readiness:
- 60% of small and midsized businesses that are hacked go out of business within six months, according to an article published by Inc. magazine, New York.
- Yet, 65% of small businesses don’t bolster security after an attack, according to a survey by Hiscox, Chesapeake, Va.
- And, 62% of small and midsized businesses don’t have an active or up-to-date security strategy, according to Inc. magazine.
The food industry’s business systems are as sophisticated as anyone else’s, and processing lines are increasingly digitized and cloud-connected. Industrial control systems were designed for efficiency, not security. A serious disruption could ruin product, harm employees, sicken customers, destroy reputations and sacrifice market share.
Security is not a technology you can buy nor a project you can check off your list. Rather, it is an ongoing process, a strategy you execute every day through your employees’ and executives’ actions.
The case of the missing safe
Here’s a simple example: Consider a cold storage provider whose safe is stolen overnight, lifted through a hole in a thin roof directly above the safe, the same hole the thieves entered. No locks were busted, no alarms triggered. From these simple facts, we can assume the thieves:
- Somehow learned of a building with a safe inside.
- Discovered the precise placement of the safe.
- Avoided perimeter locks and alarms.
- Exploited a vulnerability – the flimsy roof.
- Committed the entire caper undetected.
- And, possibly had the help of an employee.
Here’s how this example informs your security strategy.
Don’t talk about your valuables. The first security failure in this story was a breach of information in which the existence of the safe and its location were disclosed. Although the vulnerability in the roof and the absence of alarm systems in the back office were oversights, the greater oversight was the owner revealing information about the safe to anyone, including employees. Security is often as much about controlling information related to assets as it is securing the assets themselves. The lesson: Restrict information about valuable assets to those who need to know.
Know thyself. In this example, what assets were worth protecting? Was it the company, the merchandise, the safe, or the cash in the safe? All of the above. The owner, however, didn’t think much beyond the doors and the cash.
Formulation of a security practice starts with knowing what to protect. Knowing what to protect starts with a comprehensive self-examination of your organization. Some assets are less obvious targets than others. The lesson: Security is not just about protecting servers and passwords; rather, it starts with a true understanding of your assets, their value to you and their potential value to thieves.
The other aspect of knowing yourself is having a good idea of which employees might be corruptible and which are likely to take the bait when phished.
Know thy enemy. The days when random hackers with generalized ill intent represented a majority of threats are long behind us. Most modern threats represent highly organized, persistent and well-funded groups that operate as for-profit businesses.
The key question to ask as an organization is, who exactly would be motivated enough to try to penetrate my systems? The answer to this question is different for each company. This is where threat modeling comes in.
Start by assessing how your current security posture matches up against potential threat groups. For example, is your organization prepared to withstand a long-term targeted attack by a nation-state? Do your employees know enough about your critical systems to be dangerous? Do you have intellectual property that might be of interest to your biggest competitor?
Score the opponent. The next step is assigning a relative motivational score to each threatening actor to determine how much effort he/she/it would be willing to spend to access one of your assets. Your attacker’s motivational level will be the strongest variable in the approach to securing any asset and level of investment. That’s why it makes little sense to evaluate IT security solutions from a technology-only perspective.
Treat security as a practice, not a fence. A strong perimeter alone isn’t an effective security posture. Evildoers will keep working to find a way in, and unaddressed internal vulnerabilities will fester. What’s needed is a consistently applied practice of protecting your assets and resisting threats over time.
One great way to practice security is to build a permanent internal security team that includes both business and technical people. Another is to regularly challenge your plan’s effectiveness by hiring third parties to assail it.
Technology-centric security solutions (like a food processor’s door locks and alarms) only address the obvious vulnerabilities. Any self-respecting attacker would likely avoid them.
Rather, a comprehensive ongoing security strategy should incorporate a 30,000-foot approach with processes to control information, identify key assets, know who wants your valuables, assign motivation levels and manage solutions accordingly. You also need to train good employees to resist clicking seductive links.
With any luck, every would-be attacker – whether ex-employee or nefarious government – will be frozen out of your business. And, everything will stay cool.