By and large, food and beverage companies invest inadequately in information security. Sure, they have their IT guy, who says everything is safe and secure. Most of the time, however, that IT guy’s area of expertise isn’t in information security, and there’s not enough money in the budget to employ someone who is.
Information security is one of the biggest risks facing food and beverage companies today—even if many don’t realize it. Here are a few of the risks as well as strategies to combat them.
Risky businessCompanies who don’t invest in information security are leaving themselves exposed to a variety of threats:
- Customer/employee/supplier data vulnerability.
In many cases, companies have legal obligations to the affected parties if it appears they’ve been negligent in protecting that data, whether social security numbers, bank account numbers, or other sensitive data.
- Intellectual property vulnerability.
Cyber espionage is one of the top security threats facing food and beverage companies. Recipes can be stolen, and competitive pricing can be obtained. In the M&A world, it’s common for competitors—especially those based internationally—to hire a hacker to “research” competitors. An individual will access competitor systems, take a look around, and get an understanding of what’s best-in-class to determine if they’re making the right investment.
- System compromise.
Many companies don’t have the technological capabilities to even identify when they’re being hacked. In those circumstances when it becomes obvious a hack has occurred (a denial of service attack on a webpage has occurred or the operating systems have been disabled), there’s no incident response program in place to help them respond to these issues. Recovering from a cyberattack can take companies weeks; sometimes, the resulting impact plagues companies for months, even years.
And then there’s the cloud.
Cloudy with a chance of turmoil
The cloud can be great for companies that don’t want the burden managing its IT function. It can also be very, very bad.
Why? Because you’re transferring risk. You’re putting your customers, trade secrets and business in the hands of a third party. It’s critical to really assess the information you’re putting in the cloud; for example, do you really want proprietary or client information there? Just because client information is stored with a third party, that doesn’t mean it’s no longer your responsibility. If you’re going to use the cloud, it’s critical to look closely at service-level agreements and contracts. If there’s a breach, how and how quickly will it be reported? (Often times these agreements don’t include this information, which means the cloud provider is under no obligation to report breaches to its customers.) What’s the provider’s obligations for up time? (If they guarantee up time of 99 percent, for example, that could still mean you’ll be facing downtime on a monthly basis.) What kind of security controls are in place, and who is liable if there’s a breach? (100 percent of the time, it’s still you.)
Where to start
It starts with a cultural shift—thinking about information security as a business issue, not an IT issue, and becoming more security focused. This will be a major undertaking for many food and beverage companies who continue to believe, “It won’t happen to me,” or, “My IT guy told me we are safe.”
The fact that it hasn’t happened yet is great—all the reason to make the appropriate investments now before security does become a problem.
Here are a few tips:
- Ensure networks are properly segregated to protect sensitive or critical areas of the company. Most companies have a two-tiered network: external and internal. In best-in-class organizations, those networks are further segregated to ensure only individuals who need access to particular information is granted it.
- Conduct user awareness training. Your people are your greatest asset, but when it comes to information security, they’re also your weakest link. Hackers typically access organizations through their people. If your staff are unaware of their responsibilities around protecting your company and its confidential information, they will make mistakes more frequently than if they’ve been trained.
- Learn what your company is doing—and may still need to do—to assess the real risks and protect your invaluable information assets. Consider how you assess your people, processes, and technologies related to information security.
It can happen to you
According to the Ponemon Institute, which conducts independent research on privacy, data protection, and information security policy, 43 percent of companies experienced some type of breach in 2014. 43 percent! And that number is only increasing.
We know budgets are lean, but information security is critically important to the future success of your company.