With ransomware attacks and data leaks constantly in the news cycle, many business owners are increasingly concerned with keepingtheir information and systems safe. While almost everyone knows not to click links in strange emails, there are other gaps in security that may be less obvious. Morgan Stokes explains the organisational and employee training solutions that FMCG businesses can use to safeguard their systems, from the CEO’s office to the shop-floor.
In 2021, it’s almost impossible to ignore the threat of cybersecurity breaches. May’s high-profile HSE ransomware attack is still in the news, as the organisation scrambles to catch up in the wake of the event. Closer to home for the FMCG industry, high-profile American food producers, including meat producing giant JBS, have reported breaches of their own.
It can be hard to see past the hysteria and the jargon in the news cycle. But SMEs in particular have cause for concern – they have more money than ordinary people, and generally less security than larger corporations. And according to Richard Werren, Regional Director of Food & Retail Supply Chain at the British Standards Institute, poor cybersecurity could hit suppliers’ pockets without even a hint of a breach.
“Major retailers are now focusing on cybersecurity as a dealbreaker,” he said, speaking at the first of a series of BSI seminars on cybersecurity in the food industry in August.
Kristin Demoranville, BSI’s Head of Cybersecurity for the Americas and keynote speaker at the event, pointed out that these companies have learned from experience. “Most hacks don’t happen through a major corporation,” she explains. “They happen through third parties.”
So how can the sector improve? DeMoranville believes that business needs to focus on both technical knowledge and better understanding of how employees operate. “I think a lot of times we tend to blast off before we have a look at the [work] environment,” she says. “The people you want to talk to are the ones closest to the product.”
The human element – cybercrime and emotional manipulation
While it’s true that cybercriminals are becoming increasingly sophisticated, it’s believed that most breaches still occur as a result of simple human error.
Perhaps the best known example is the ‘phishing’ email. It’s tempting to believe that everybody is security-savvy enough not to open strange links in emails from unknown senders, but this might not necessarily be the case. ‘Phishing’ emails can look extremely convincing, often with
only a slight change in address from a legitimate company email; easy for even a generally cautious employee to miss if they’re busy or overworked. They may also contain data about the organisation or employee, such as references to roles, projects or colleagues, which is often easily obtained from company websites or social media.
Cybercriminals are adept at playing on the emotions of users. Most of us will be familiar with stories of scam calls telling bank customers that they are locked out of their accounts, taking advantage of panic to trick victims into giving up sensitive information.
In late May, an article on thejournal.ie confirmed that the HSE ransomware attack began on a single computer, when an employee struggling to access a file clicked on a link they believed would lead them to an IT messaging service. The hacker was counting on the employee being frustrated enough to forget or bypass IT security protocols.
There are also simple, less intuitive errors made by employees. Some third party websites that store client data, such as mass email client Mailchimp, use security questions when somebody tries to access the site from an unknown computer. If an employee uses personal answers, such as a mother’s maiden name or the first street they grew up on, a hacker may be able to get this information from social media; you may have seen viral memes on social media, asking users to comment with these details to get their ‘stripper name’, for example.
The importance of password management
The importance of using strong passwords might seem obvious, but the reality is that most people just can’t remember dozens of separate, long passwords. Some companies remain extremely lax - DeMoranville recalls making site visits to find admin passwords taped to monitors.
One simple, company-wide and well-known password might seem like a terrible idea, but asking employees to choose their own passwords has pitfalls.
Many people re-use their passwords or use one password for all their online accounts – if an employee uses their work password to access personal accounts, company data might be at risk if those websites are hacked.
Security on the shop floor – investigating the Internet of Things
IT security is generally associated with offices, but in 2021, the internet has made its way into the store itself. Any device that has an internet connection is at risk of being compromised, and for the independent grocer, that might include security cameras, stock taking or scanning devices, and even some card readers.
‘The Internet of Things’ (IoT) is the term used for everyday objects that connect to the internet, which span everything from medical sensors that send data from pacemakers to doctors to WiFi-controlled kettles, which boil when you press a button on your phone.
An independent store owner may set up a CCTV system that relies on a camera sending data over the internet to a computer monitor – often cheaper and easier to operate than traditional systems. However, these devices are notoriously insecure. They usually come with a default password that isn’t
easy for a user to change, since there’s no screen or interface, so many don’t. In 2016, using default passwords taken from
manufacturers, hackers accessed thousands of these devices to create the ‘Mirai Botnet’, and used their internet addresses to send enough traffic to websites to overwhelm and disable them. And while security has moved on since 2016, older or cheaper devices may be vulnerable to attack.
Having your shop’s CCTV used to co-ordinate a massive cyberterrorist attack on the web itself isn’t exactly a pleasant thought, but if these devices are compromised, there can be more immediate consequences. They can be an entry port into your entire WiFi network, an easy way to introduce viruses that spread from cameras to computers.
This is particularly relevant to manufacturers, suppliers and logistics companies, who often rely on IoT connected sensors and equipment. It can also work the other way around; if someone gains access to your WiFi network, they may be able to shut off your devices. Richard Warren tells a cautionary tale about a teenager who gained access to the WiFi network of a neighbouring food processing plant. Armed with just the WiFi password, “this 15-year-old youth shut down the entire production line”.
DeMoranville advises avoiding using these devices unless necessary. Acknowledging that they can be essential, useful, or timesaving, however, she advises: “Ask yourself, does it really need to be connected to the internet?”
How can you keep your business safe?
All that may sound alarming, but there are steps you can take to keep your networks secure.
Lock down your IoT:
Most routers have an option to set up a separate network; if you can get someone to connect any IoT devices you are using to this network, you can keep them away from where sensitive information is stored. Always change the password; get assistance to do so if you need it. You may also want to ask an IT person to manually check for security updates every couple of months.
If you are an independent supplier or manufacturer heavily reliant on sensors, this can be more difficult; hard questions need to be asked about how the device’s security has been tested. In 2018, ISO developed the ISO/IEC 30141 for IoT devices; this should be the bare minimum claim your supplier makes about security.
Think hard about how and who you train:
Any breach that happens in entry-level admin. or at a factory technician level can spread easily to the top of the organisation. Thought needs to be given to the actual working conditions of employees on the ground; DeMoranville cites the example of a company who decided to introduce fingerprint scanners on the factory floor, completely forgetting that employees were forbidden to remove their gloves.
Training should be easy to understand; in the May 2021 issue of Retail News, we wrote about how the overall digital skills level of Ireland’s workforce is lower than some might suppose, with 42% of the Irish population describing their digital skills as below average. Too much jargon might cause an employee to switch off, but too little detail could make it hard for them to care.
Be careful who you work with:
You might be entirely satisfied with how your organisation handles security, but you still need to make sure that your partners aren’t playing fast and loose with your data. Warren points out that the weakest link is often heavily IoT-reliant logistics and distribution companies. If you outsource your IT,
you’ll need to thoroughly research the company’s background to make sure they are reliable.
Protect your passwords:
Change passwords frequently and if employees are setting their own, ask them to use a unique one. Some companies are moving away from passwords altogether and using methods such as codes sent to their employees phone’s instead.
Hire a professional:
There’s no substitute for expert advice, and there are many companies who provide training, site testing and software solutions.