Hardly does a day go past without hackers making the headlines. How vulnerable are food and drink firms?
With one foul click cyber criminals can wipe £100m off your balance sheet.
Don’t believe it? Ask Reckitt Benckiser. Production was paralysed at the fmcg giant in June as the ‘Petya’ cyber bug wormed its way into systems. Disrupting deliveries and temporarily shutting down factories, the attack erased an estimated 2% of sales - around £110m -and left CEO Rakesh Kapoor reeling.
The Dettol and Durex manufacturer wasn’t alone. Trashing around 2,000 PCs in its first wave, the virus spread to at least 65 countries, crippling small businesses and dealing a hefty blow to some of the biggest, with production at Mondelez factories also brought to a halt and hubs at global shipping giants AP Moller-Maersk left in chaos. Only a month beforehand, top government experts at GCHQ had briefed Defra and the BRC on the threat of such sweeping cyber attacks, amid fears industry could be engulfed in the unravelling WannaCry software scandal, which left systems down across the NHS and an estimated 300,000 computers affected worldwide.
“If the CIA can be hacked, if the White House can be hacked and the Democrats, then everyone can be,” points out Eoghan Daly, manager of forensic and counter fraud services at Crowe Clark Whitehill LLP. And that should be of concern to food and drink firms of all sizes.
Five fmcg firms to fall foul of the hackers
In June systems at the fmcg manufacturer were temporarily crippled by the Petya bug.The malware, which encrypts important documents and then demands a ransom, had disrupted its “ability to manufacture and distribute products to customers in multiple markets” said the firm, shaving an estimated 2% off its next year sales - the equivalent of £110m.
In 2013 a cyber attack on US discounter Target proved catastrophic. Millions of shoppers saw credit cards stolen following the data breach, with the immediate cost to the retailer a little over £104m (a figure that would’ve been higher had it not been for insurance payouts). But the saga didn’t truly draw to a close until May this year when the firm was told to pay 47 US states an extra $18.5m in compensation.
More than three years after disgruntled employee Andrew Skelton leaked staff details to the media, Morrisons is still feeling the effects of the insider attack. In 2016 nearly 6,000 staff signed up to a class action lawsuit against the supermarket, a move it said it would “vigorously contest”. Skelton was jailed for eight years.
The “unprecedented” attack on Tesco’s banking arm in November 2016 resulted in a loss of £2.5m from 9,000 customer accounts. The supermarket quickly apologised and restored accounts within 72 hours, while a criminal inquiry was launched by the National Crime Agency. Tesco says it “continues to work closely with the authorities and regulators”.
In October Amazon was one of many major online players, including Twitter, Reddit and Spotify, to fall victim to what appeared to be an organised worldwide hacker attack. The co-ordinated DOS (Denial of Service) attack, which knocks sites offline by flooding them with junk data, left the retailer’s website temporarily unreachable. Highly sophisticated, the bug involved “tens of millions of IP addresses” said the retailer.
In the last 12 months alone nearly half (46%) of all UK businesses suffered at least one cyber security breach, according to an Ipsos Mori report published in April, rising to two-thirds among SMEs and large companies. Though the report doesn’t break this down by sector, the vulnerabilities for food and drink arguably put them at more risk than most.
Supermarkets holding on to reams of personal and financial data on both their staff and customers are one obvious target. Back in 2013, US retailer Target suffered just such an attack when hackers stole the names and credit card numbers of tens of millions of their shoppers. The security breach saw CEO Gregg Steinhafel resign and the firm fined $18.5m by US law enforcement in a protracted legal battle only resolved in May. And though a similar breach of staff data at Morrisons in 2014 came from a rogue employee rather than any criminal hacker, it too demonstrated the dangers of storing sensitive data on software.
In the hyper-competitive grocery market, it could even be unscrupulous rivals that hire criminal hackers to find and steal this commercially sensitive information, adds Daly. “We’ve seen examples of people offering services to hack on the dark web. For food and drink, they could be after intellectual property, or financial contract information agreed with customers. Supply chain competitors would very much like to know the payment terms or the price that’s been agreed so when the bid comes up they can undermine that.”
‘Hacktivists’ - hackers driven by ideology rather than cash - are also a threat. “They’re looking for ways to have a go at companies they object to,” says Andrew Rogoyski, vice president of cyber security services at CGI. This could be aimed at controversial food companies “such as those at the forefront of GM or meat production who are targeted by animal rights organisations. They’re finding it easier to hack in and do damage, whether it’s defacing a website or disrupting production lines. It’s much more politically effective than standing outside an HQ with a placard.”
Then there are the entirely untargeted ransomware attacks that could infect any system, across any sector, with gaping security holes - as Reckitt Benckiser discovered to their peril when the Petya bug reportedly wormed its way into systems via an old version of Microsoft Windows. “This can be via emails that encourage people to click on links and download attachments that infect people with malware,” says Dr Jessica Barker, founder of cyber security consultancy Redacted Firm, “or with a worm, a malicious piece of code, which spreads by itself over the internet and takes advantage of vulnerabilities in systems.” That was the case with the WannaCry malware that caused chaos at the NHS. “The attack went out and took advantage of a particular vulnerability and any organisation with that open was susceptible. The NHS was caught up in it because they didn’t have up-to-date systems.”
In other words “hackers will be looking for low hanging fruit” anywhere across the internet.
“If the CIA can be hacked, if the White House can be hacked and the Democrats, everyone can be hacked”
And if they find it, the impact can be devastating. “It wouldn’t be out of the question to think that recipes or formulas could be tampered with, damage could be inflicted to manufacturing facilities to create a goods shortage, or products spoiled that are in transit through cyber attacks on logistics systems,” says Ryan Wilk, VP of customer access at NuData Security. “Trade secrets could be stolen, and financial attacks could be implemented, enrolling false employees in HR systems in order to commit mass fraud.”
With supermarkets working as “state-of-the-art just in time machines”, any disruption “could leave shops empty and shelves bare within a couple of days” warns Rogoyski.
All of which could lead to significant brand damage and a blow to profitability to the tune of hundreds of millions of pounds. A study published in April by CGI and Oxford Economics revealed public companies stood to see 1.8% shaved off their share price after a severe cyber breach, the equivalent of £120m for the average FTSE 100 firm, with a £50bn impact across the whole sample. “And that’s only 300 of the hundreds of breaches happening every week,” says Rogoyski. “It indicates markets are becoming much more sensitised to cyber attacks and the impact it has on the future performance of a company.”
With the arrival of the General Data Protection Regulation (GDPR) imminent (see box) and set to lay bare the full scale of cyber attacks suffered by the industry, with its requirement to report a breach within 72 hours, he sees the average hit to a share price rising to 4% or 5% in the next couple of years too. “That’s a really serious number that will occupy boards.”
Yet though “you consistently find right across the economy that cyber is top of every corporate risk list, it’s not top of the investment list,” he adds.
Cyber security carelessness will cost big
From May 2018 companies with poor cyber security could be fined up to £18m for allowing hackers access to customer data. The General Data Protection Regulation (GDPR), which will replace the 1998 Data Protection Act, hands bigger penalty powers to the Information Commissioner to clamp down on avoidable cyber breaches.
Under existing laws the ICO is limited to fines of £500,000 where firms are found to have violated strict data protection laws but from next year this will leap to a maximum of 4% of turnover, or £18m - whichever is the higher. These could be handed down where a company fails to meet minimum cyber security requirements and suffers a breach.
The regulation also requires companies to report a cyber attack within 72 hours or find a good reason for the delay. Currently “the vast majority of companies don’t declare a breach but that visibility will grow enormously over the next three years” with this regulation, says CGI’s Andrew Rogoyski.
Even more concerning is that Ipsos Mori research found businesses in the food and hospitality sector are less likely than any other to have sought guidance on cyber security threats, with only 39% doing so compared with a 58% average across business. And only 15% of senior managers working in food and drink rated cyber security as a high priority for the business, while the sector invested the least in upping its cyber defences too. Of nearly 100 food firms asked, the average annual investment was just £620, compared with £20k among IT firms, £4k in the entertainment industry and £1,800 in social care.
Decent protection needn’t break the bank. Simple safeguards like “making sure systems and devices are up to date, that software is patched and networks are segregated so attacks can’t spread across” can all go a long way, says Barker.
The government’s basic Cyber Essentials kit, which requires companies to meet five rudimentary security criteria, including proper use of firewalls and ensuring log-in systems are safe, costs as little as £300. “Being Cyber Essentials compliant will protect you from 90% of cyber crime issues,” says Daly. “The margin of that last 10% is where it can get expensive.”
Within that margin, companies might consider turning to ethical hackers - hackers with the same skills as the criminals, but far more philanthropic intentions - via setting up a ‘bug bounty’ program. “Companies want to find security holes before a malicious attacker exploits them,” says Michiel Prins, co-founder of HackerOne, which helps manage these bounties. “Establishing a bug bounty program enables them to publicly or privately engage a community of ethical hackers who share the same skills set as the bad guys they’re trying to keep out. Friendly, ethical hackers vastly outnumber cyber criminals. This greatly increases the chance that a friendly hacker reports a vulnerability, so a company can fix it before any cyber criminal can take advantage of it.”
Around three quarters of companies that offer rewards to ethical hackers to point out their vulnerabilities have at least one flagged up within the first 24 hours, he adds. Of the 800 global companies HackerOne has worked with, so far he estimates it has fixed more than 50,000 security holes. It has been paid handsomely too, though, reaping around £15m, or an average of £18k per company.
As well as “building up walls”, companies should also looking at improving their “resilience” if and when an attack does occur, advises Daly. “In the best case scenario, they’d have a team ready quickly, with access to advice from external expertise, including IT, data protection and people with comms expertise, as a lot of the time the PR damage can be more significant than the impact of the attack itself. You’d have these experts in place to deploy quickly so you don’t lose a week negotiating fees and getting contracts in place. Then you can respond immediately to contain the issue.”
Ultimately each firm needs to take a balanced view on what to invest, says Rogoyski. Understand “what is the likelihood of someone attacking you and then look at your own IT infrastructure and take a view on how well maintained it is. Then balance that against corporate risk appetite.”
The trouble is “you only find out if you’ve spent too little. If it all goes well nothing happens, and so people kid themselves they’re OK until they’re not.”
The fact is anyone with a computer and an internet connection should be aware. Cyber security might sound like a topic better suited to the tech geeks of Silicon Valley but companies that bury their head in the sand only leave themselves as easier pickings for the growing army of hackers who are looking to find a way in.