For official information on the COVID-19 outbreak in South Africa, go to www.sacoronavirus.co.za

Information Security in the food industry is best served well done

By Carel Krogh on 18 September 2016

With so many advances in the food industry being driven by costly innovation and development, it is no secret that information has become more critical to the survival of a business than ever before. 

No longer can business afford to ignore the impact of a cyber-security incident, can have on the bottom line. Allianz, a global insurance company, rates cyber incidents as their 3rd most prevalent business risk. The measurement was done across 800 risk experts from 40+ countries around the globe. It is clear that this is not just an issue for financial institutions and big business, but something all business owners should be cognisant of. So what are you doing about it? This article points you in the right direction.

Data Breaching - not just in movies

The annual Verizon Data Breach Investigations Report pegs 89 % of breaches against either a financial or espionage motive.  Many threat actors in the Internet underground are expanding into previous untouched environments such as the hospitality and manufacturing sectors to generate income by selling trade secrets and confidential information. Furthermore, the NTT Security 2016 Global Threat Intelligence report analysed 6.2 Billion attacks and found the retail sector experienced the most attacks per client of any industry sector, followed by the hospitality, leisure and entertainment sectors. This is quite significant a shift from the historical financial institutions, and should be a huge wake up call for everyone in and around hospitality and manufacturing. Normally, these basic controls would not involve highly technical solutions, but can be as simple as the manner in which the data is handled, transferred accessed and stored.  The level to which information security is implemented will depend on its value in relation to the business, thus the need for a risk assessment.  The three basic areas, confidentiality, integrity and availability, also known as the CIA triad, need to be at the core of the information risk assessment. Complexity and scope prevents an in depth assessment within the constraints of this article, but to highlight the areas, examples of burning issues will be highlighted.  

Availability

Business critical information needs to be consumed in order to support the business in achieving its objectives. Availability is key. A significant risk to the industry at the moment is Ransomware. Ransomware is a type of malware that can systematically encrypt files on a hard drive that typically cannot be unlocked. By restricting access to an infected computer or mobile system, the attacker has the ability to demand that the user pay them a ransom in order to remove the encryption restricting the victim’s access to their files and data. Unfortunately, paying of the ransom is no guarantee that the files will be decrypted due to the anonymity of the attacker. During the last two years, the U.S. Federal Bureau of Investigation (FBI) processed about 4,200 ransomware complaints and estimated victims lost more than $47 million. According to the Kaspersky Lab Q1 2016 malware report 345,900 ransomware attacks were detected in the first quarter of 2016, a 30% increase of attacked users compared to the fourth quarter of 2015.

 

Basic mitigation against the threat can be summed up in the following 4 steps

1. Back Up

The best defence against ransomware is backing up of important data on a daily basis, so even if your computers and servers get locked, you can still recover from backups.

2. Just Say NO to suspicious Emails and Links

Attackers try to infect victims by spamming them with emails that carry a malicious attachments or instruct the victim to click on a URL where malware surreptitiously crawls into their machine.

3. Patch or Update your software

A formalised patch management plan should be implemented to ensure the patching of software security holes to prevent malicious software from exploiting vulnerabilities to infect systems.

4. Got an Infection? Disconnect

The encryption of data is a time consuming process, and by disconnecting from WiFi or unplugging from the network immediately might be an effective way to stop the process before it succeeds in scrambling your data.

Integrity

With an expected 40% increase in threats posed by integrity of systems and Data, this area should be another key focal point in terms of information security.  Information is normally managed through third party software and application providers, and it is absolutely critical to evaluate and question the providers around their controls to ensure that the integrity of the data stays intact.  This can be done through a formal attestation by the provider that their development was done in line with accepted security legislation.

Confidentiality

At the core of most businesses is intellectual property. Be it, patents, copyright, designs and trademarks, IP should be vehemently protected. Confidentiality does not necessarily mean complete non-disclosure, but more rules around the way information will be disclosed. An information security based information classification should position the business perfectly to allocate rules of engagement around the different types of information.

Conclusion

All information should be classified in order to identify where the keys of the kingdom are located and how it is protected. This can be anything from R&D type data, customer procurement info, recipes and ingredients and various other forms of intellectual property. Appropriate mechanism should then be employed to protect the data. Without knowledge of where your efforts should be directed, you cannot reasonably expect to reduce your information risk footprint. This should be the departure point in addressing information risks to ensure resources are spent against the appropriate risks.

 

So what is your data policy?

Do you have a policy on emails and external hard drives?

What about back ups?

 

Sources:

https://www.controlrisks.com

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

http://www.agcs.allianz.com/assets/PDFs/Reports/AllianzRiskBarometer2016.pdf

https://usblog.kaspersky.com/usa/files/2016/05/Ransomware-Report-Final.pdf