Reducing Cyber and Data Security Risks for Food and Beverage Manufacturers

Posted on: June 9, 2021 | By: Guy Logan | QAD Manufacturing, QAD Business Process, QAD Distribution

The hard truth is that a cyber and/or data security event can happen to any food and beverage manufacturer. However, there are practices and tools that can allow companies to reduce their cyber and data security risks. This article will discuss some of these safeguards. We’ll discuss the potential consequences that cybersecurity events can have for food and beverage manufacturers, solutions to prevent possible security breaches, and we’ll cover some different forms of high-profile data and how to protect it, including some options that are available to QAD users.

Cyber and Data Security Breaches – What’s the Cost to Food and Beverage Manufacturers?

Most organizations don’t think they are vulnerable to cyber and data security attacks—until they are hit with one. A 2019 IBM report (registration required) estimated that a typical company has a 29.6% chance of experiencing a system breach in the next 24 months. In 2020, IBM also reported (registration required) that “the average cost per lost or stolen record was $146 across all data breaches.” This same report found the average cost of a data breach to be $3.86 million, with the average cost being $8.64 million for breaches in the United States.

All this is to say that breaches can be extremely expensive. But where is all this cost coming from? Food and beverage companies should note that the total cost of a data breach can be the sum of many different components, such as:

US or EU Federal fines
State and local agency fines
Outside technology, vendor, and legal counsel expenses
Class action lawsuits
Internal disruptions associated with recovery (for example, data forensics on a ½ terabyte server can be approximately $60,000)
Stock de-valuation for public companies
Cyber insurance increase.

With all this in mind, we see the potential costs associated with failing to invest in the appropriate safeguards against cyber and data security risks. Now let’s look at some these safeguards.

Preventing Possible Security Breaches

We hear time and time again that human error is one of the most frequent causes of security breaches. Let’s look at some solutions to this problem that require minimal investment of time or funds.

Security Awareness Training

This training provides formal cybersecurity education to an organization, covering different security threats and the company’s procedures for dealing with them. Organizations may wish to outsource this training. One possible reason is that the different users within a company may speak different languages. In such a case, there is no way for HR or IT to effectively provide training material on policy.

Multi-factor Authentication

Multi-factor authentication has the user provide two or more factors to gain access to a resource. This is an organization’s first line of defense when an untrained employee gives away sensitive information, and it is valuable in general because of its ability to reduce the risk of brute force attacks.

Restricting Local Administrator Privileges on End User Devices

Users may consider this a last line of defense. For example, if an untrained employee clicks on a nefarious link, these restrictions prevent unwanted items from getting installed on his or her computer, because he or she does not have the required privileges for such an installation.

While less tied to breaches from human error, here are some other low-cost security measures that can be taken to reduce the risk of breaches overall.

Active End-Point Monitoring

End-point monitoring is the tracking of activity across all internet-connected devices in an organization to protect against behavior that deviates from a baseline, which may be interpreted as malicious. Especially with so many personnel working remotely, end-point monitoring may never have been more important than now. It is important for IT departments to invest in the staffing to be able to respond to possible nefarious events, such as a login from an unrecognized location, but unfortunately many IT departments have struggled to invest in these measures.

Applying Security Patches

We know how important security updates can be. Sometimes, companies (for example, Microsoft) may provide security updates to its applications which should be installed on the same day they are released. However, organizations may opt to arrange them such that they run after hours.

Cyber and Data Security Risks for Food and Beverage Manufacturers and How to Protect Against Them

If a food and beverage company experiences a cybersecurity attack, the potential consequences can be severe. Hackers can jeopardize the security and logistics of materials and ingredients, impeding their movement from suppliers to the manufacturer. Shipments from the manufacturer to its customers could also be either delayed or even re-routed to the wrong location. Attacks can also result in the shutdown of internal systems, and the safety of food products can be compromised.

The Risks

Three of the major cyber threats that food and beverage manufacturers face are web skimming, ransomware, and malware directed at Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA).

Web skimming is a form of attack where the attacker inserts malicious code into a website for the purpose of obtaining information such as customer credit card or personal data, potentially shutting down systems.

Ransomware is a type of malware which encrypts files on a device, preventing users from accessing those files until a ransom is paid to the hacker in exchange for decryption. Ransomware attacks against food and beverage manufacturers have been popping up more frequently in the past few years, as shown in examples found here and here. Ransomware can potentially compromise millions of internal records.

The risk we’ll focus on is ICS/SCADA malware. If these systems are breached via malware, nefarious parties could stop operations or even contaminate the food supply by altering BOMs and recipes. Therefore, we see that the risk of cyber-attacks of this form is very high in the food and beverage industry; not only can the business lose massive amounts of revenue due to shipment and production interruption among other costs, but these attacks can have disastrous effects on public health if cyber criminals can manage to poison the food supply.

There are various circumstances that exacerbate the risks posed to the ICS and SCADA systems of food and beverage companies. Although many may recognize that cybersecurity is often more critical at the ICS level, many food and beverage manufacturers are still using legacy ICSs that are not equipped for modern day cyber threats. Furthermore, ICSs in the food and beverage industry also tend to have more rigid controls relying heavily on physical security, thus creating the potential for further ICS vulnerabilities. On top of that, more ICS vulnerabilities are being discovered. A report from Claroty (registration required), an industrial cybersecurity company, found that in 2020, there were 25% more ICS vulnerabilities disclosed compared to 2019, as well as 33% more compared to 2018. The report also found that nearly 72% of these vulnerabilities can be exploited through a network attack vector (they are remotely exploitable).

There are additional contributing factors to a higher risk of cyber-attacks that are not specific to just ICS and SCADA. One such factor is that the pandemic has resulted in more remote work than ever before, leading to a larger attack surface. Another contributing factor discussed here in an overview of a University of Minnesota report notes that food and beverage companies “often lack knowledge about how their industrial control systems and IT systems interact and lack awareness about cyber risks and threats.” Also discussed in the overview, the food and beverage industry has historically not been targeted by large cyber-attacks compared to other industries; this has led to a lack of security maturity compared to these other sectors.

Protecting Against These Risks

One way to reduce these cyber and data security risks is to invest in a cloud ERP system. The cloud is often the safest environment and most protective against attacks on data in the ERP system, due to the centralized cybersecurity measures that providers offer. Services may include intrusion detection programs, an incident response team, and regularly scheduled penetration testing. Cloud systems are also useful because in the food and beverage industry, IT costs are often very high and IT departments are often short-staffed, and cloud systems avoid the high management cost of on-premises systems.

There are also several ways that food and beverage companies can reduce the risks posed by ICS/SCADA malware specifically.

Endpoint Management

This involves asset inventory and an operational technology (OT) systems management program, including things such as user and account management and software management. Organizations may also want to consider how they are going to manage their patches. This may seem simple at first but managing patches can be difficult and time-consuming.

Network Defense

Effects of ransomware or malware can be diminished if there is more limited access between devices. Companies may wish to consider how they can check for abnormalities that alert when the system is about to be compromised.

Access Control

This involves protecting systems compromised through means such as remote access. This can involve isolating these systems based on function.

There are other areas companies may want to address to further reduce risk to their ICS/SCADA systems. These are questions such as “Have we invested in offline backups in the case of cyber-attacks?” “Do we have a training protocol for OT and cyber events?” “Do our personnel know what to do when issues arise?”

High Profile Data and How to Protect It

Protected Data Potentially in QAD

PHI (Personal Health Information)
PCI (cardholder data)
PII (Personally Identifiable Information)
Protected financial data
- Financial reporting info
- Bank routing codes
- Commission rates, pricing
Intellectual property (BOMs, routing content, etc.)
Other competitive information (pricing, cost of goods, test result performance, etc.)

If any of this data exists in QAD, there are potentially ways that this data can be exported. If any intellectual property is exposed, competitors can gain an advantage. The same holds true for information such as pricing information or test result performance. Therefore, companies may wish to consider this when developing their data protection scheme.

Managing General Data Protection Regulation (GDPR) Requirements for Data Protection

There are a couple of questions that food and beverage companies can ask themselves as a step toward managing GDPR requirements.

The first is “Are we auditing outsourcing vendors?” A company may wish to assess what info it shares with these vendors, and potentially consider auditing these vendors to ensure that they are secure.

The second question is “Are training records concerning data management in place?” For GDPR requirements, it is mandatory that all data handlers receive data management training.

Companies will also want to ask “Are we documenting the purposes for retaining data? Do we document how long the data is retained?” This will naturally lead to companies asking if such retention policies and procedures are being adhered to—and if these are documented.

Another question involves unstructured data. How much unstructured data does the organization have? Where exactly is that data? eDiscovery tools such as Veritas eDiscovery Platform can help organizations find what sensitive data exists within the company and where it is located. Then, the organization can decide how to proceed—whether that be through encrypting the device where the data is located, encrypting the data itself, or destroying the data.

Compliance auditing is another data protection angle to consider. This allows the company to see with whom the organization is exchanging data and why. Companies may wish to have either an internal audit team that specializes in data management, or one that the company can outsource.

How the QAD ERP Application Can Help

There are numerous options within the QAD ERP application for bolstering security. Here we list a few. (If you have any questions regarding these options, we encourage you to reach out to us here.)

Segregation of Duties and Access Control (EE)
Customer/Supplier Transaction Blocking (EE)
Field Security
Dictionary field Security
Browse Data Exports & Imports
Active Directory Integration (2016EE and up)
Application Time Out

There are also some procedures used to heighten application security.

Least privilege/access processes

This means that the user has only the permissions necessary to perform his or her job, thereby reducing unnecessary risk.

Formal access/menu request processes

An organization can make its request processes formal. It may involve having designated applications or forms for requesting data. The organization may have several people from different functions required to approve access to the user.

Regular review of roles and associated access

As a person’s role within the company changes, so too should his or her access privileges; he or she likely should not still have access to the same data from a previous role if the organization is to follow the least privilege protocol. The HR team is going to be the most likely to be notified of these changes. This is one of the many reasons why having an HR member as part of an organization’s security team may be useful.

Employee terminations

Ideally, the same day an employee is terminated, he or she will no longer have active directory access. Otherwise, this is likely to show up on an audit.

Conclusions/Next Steps

We’ve discussed the potential costs of cyber and data security incidents and where these costs can come from; the importance of activities such as security awareness training in lowering security breach risk; specific ways for food and beverage manufacturers to reduce risk of exposure to ICS/SCADA malware; the different forms of high-profile data organizations may deal with, and we’ve included several questions food and beverage manufacturers can ask themselves to determine if their data is secure. Lastly, we looked at the security options available to QAD ERP users, as well as general procedures useful for lowering cyber and data security risk.

However, we cannot hope to cover all such risk-reducing practices deeply in a single article. We therefore encourage you to visit our Cybersecurity webpage, where you will find a list of our services, including a general security assessment and a GDPR compliance evaluation. You will also get a look at the Logan methodology for cybersecurity.

We also encourage you to reach out to us with any questions you may have regarding cybersecurity or the QAD ERP for your food and beverage organization.

QAD’s Changing Landscape: Insights from Logan Consulting

Posted on: April 16, 2024

In this blog, we explore QAD's changing landscape, focusing on cloud modernization and O3 adoption, illuminating both excitement and nuanced...

Read More ›
Minimizing ERP Upgrade Timeline

Posted on: March 25, 2024

With the release of QAD's new AUX 2024 and O3 version, many of our clients are in the process of...

Read More ›