Serving up some serious cyber risk

The food and beverage industry must work out how to manage the increasingly complex digital risk environment as cyber attacks become more sophisticated, says the head of risk and insurance advisory firm Victual, David Goodall (pictured).

“A common misconception among food and beverage businesses that don’t consider themselves to be online organisations is that they are immune to cyber attacks,” Goodall says.

“However, most firms use IT to run their business processes, many use the internet to connect to their customers, and the growing presence of cloud services presents a changing environment.”

Goodall believes that the food and beverage industry’s large customer numbers mean its IT systems are handling a significant volume of sensitive data.

“Organisations store and analyse significant amounts of information about their processes and customers, and therefore are responsible for the protection of that data,” he says.

“There is another perception that only high-profile multinationals are at risk of a cyber attack; however, evidence shows that small- and medium-size businesses are increasingly being targeted by cyber criminals.”

According to the Trustwave 2013 Global Security Report, cyber attacks on food and beverage companies comprised almost one-quarter of all attacks in 2012, which is second only to retail merchants. Cyber attacks can involve unauthorised entry to systems to misappropriate assets or access sensitive information, data corruption or operational disruption and the denial of service attacks on websites. Attack techniques range from highly sophisticated and planned efforts to sporadic and opportunistic attacks. 

Goodall says that cyber threats can result in a variety of consequences for an organisation, including operational interruption, financial loss, intellectual property, legal and regulatory implications and reputational damage. He advises firms in the industry to consider how prepared they are for hacker malfeasance or identity theft resulting from lost or stolen financial or confidential information, as well as any possible e-business interruption resulting from a security failure or internet virus that shuts down the manufacturing process.

“There’s also the possibility of a cyber-extortion threat or a lawsuit stemming from a security failure or alleged technology error or omission that results in damages to customers,” he adds.

Informed judgements

To comprehend what is occurring and to make informed judgements about the probability of future dangers and their effect, Goodall says that those responsible for evaluating and overseeing digital risk need to have a firm handle on the way in which attacks occur and how these dangers are likely to evolve as the technology landscape changes.

“[Firms] likewise need to see how digital risk may influence their organisations and what they ought to do to mitigate this risk.

“This learning is especially critical if organisations are to make educated choices regarding embracing new technologies.”

Goodall suggests that the level of resources applied to mitigate the risk of a cyber attack needs to be proportional to the exposure and also relevant to the risk in other areas of the business.

“In addition to any risk assessment and mitigation activities, businesses need to make time to monitor developments in threats and technology and provide an informed view to the business about overall risks.

“Mitigating digital risk can be an expensive exercise for organisations in terms of investments and labour. Organisations need to work closely with their IT departments to prioritise which of the many options available will best mitigate risk for their organisation while supporting the ongoing needs of the business.”

When evaluating the need for risk mitigation, Goodall says an organisation should consider as a minimum the type and context of personal information transacted and retained, the level of security and encryption of sensitive data at rest and in motion, and the potential effect of an interruption to business-as-usual operations.

“Additionally, it would be prudent to review any service level agreements with any third-party service providers that may be contracted and have access to sensitive data, to ensure they have appropriate policies and procedures in place that are tested regularly for compliance,” he adds.

The insurance issue

In order to effectively manage digital risks, businesses can consider transferring some of these risks to a third party through the use of insurance.

“Many businesses may be operating under the belief that their existing insurance policies are enough to cover their digital risks,” Goodall says.

“Unfortunately, most traditional insurance policies may be inadequate to respond to the exposures of the many new areas of digital risk.

“Although insurance for cyber risks has been available for some time, it is certainly a class of insurance that is still evolving to address the full breadth of risks associated with doing business in today’s technological world.”

Goodall says that before purchasing an insurance policy, an organisation should conduct a risk assessment to determine what gaps appear in its controls and what risks need to be managed.

“Organisations should also consider cyber risk in the context of their overall risk profiles to ensure that resources are allocated in the most efficient manner,” he says.

“As we are increasingly reliant on computer systems to support the way in which we communicate and run our businesses, we need to take a systematic approach to understanding how digital risks could affect our businesses and develop appropriate risk management strategies and systems to reduce these risks without stifling the innovation, efficiency and growth that new technology can create.”