Food and agri businesses face potentially crippling cyber exposures. But to mitigate them, they must first understand and assess the impact they could have on their daily operations.
In recent years, cyber attacks and digital security concerns have leapt out of the margins to become boardroom priorities for virtually every business in the country. But before you can set your defences effectively you must understand exactly what you’re up against.
AMBUSHED FROM ALL SIDES
All food and agri businesses are exposed to an array of different risks from many diverse sources. You might be the target of an internal or external attack, where the perpetrator seeks to corrupt or deny access to your systems and data.
You could be unlucky and fall victim to a random attack where your data is held hostage and criminals demand a ransom. This nightmare scenario unfolded for many companies in May this year when WannaCry ransomware hit public and private organisations of all sizes (see page 9).
The event might not even be deliberate and could arise out of human error, an unexpected system failure or a power outage. You might be one of the many companies that rely on third party providers for software, storage and cloud computing services. It’s important to consider just how robust their systems are.
It’s very difficult, therefore, to implement a blanket digital security solution that covers all eventualities. Instead, the solution needs to start with an understanding of all the digital processes that your company uses and an impact assessment on how an attack or failure would affect your wider operations.
REALISING THE RISK
The vast majority of business in the UK have a digital element to them. Your core functions might not be centred around online activity and much of your work could be manual, but that doesn’t mean you don’t have some form of digital footprint and therefore exposure.
According to the Cyber Security Breaches Survey, published by the Department for Culture Media & Sport in April this year, 99% of businesses have email addresses for their organisation or employees. Many others have websites and/or blogs, social media accounts, online banking arrangements and online order and payment functionality for customers.
Do you hold personal customer information electronically? What about commercially sensitive data detailing ingredients, product recipes, pricing and contracts?
Does your business rely on logistics systems to manage staff rotas, automate stock orders, arrange transport schedules and complete sales? How quickly would denial of access to these systems cripple your business? Do you have robust manual workarounds that you could rely on?
Every business has different dependencies. Some would suffer dramatically if a systems failure meant they couldn’t locate stock immediately and make deliveries on time. Others, perhaps dealing in non-perishable items, might have the flexibility to work around such delays.
There is, therefore, a need to analyse your business’s individual processes. What data is held electronically, where and by whom?
How is it used, do you have accurate data flow records and what would be the commercial impact on the business if access to that information was denied or it fell into third-party hands?
Conducting a risk-based analysis will enable you to identify the financial, operational, reputational and regulatory problems that a cyber attack or digital security lapse could create.
You can then start to prioritise these potential problems in terms of how they would affect your ability to run the business, the danger they would present to ongoing operations and the upfront and ongoing financial costs they would create.
For example, if sensitive data on product recipes or seed traits found its way into the public domain following a cyber attack, the immediate impact would be limited. But if competitors launched better copycat products, or improved their own productivity as a result, the longer-term commercial impact could be extremely detrimental.
BUILDING DIGITAL RESILIENCE INTO EXISTING COMPANY FUNCTIONS
Your business will already have a corporate structure and an operational framework. Evaluating and mitigating your exposure to cyber attacks and digital security lapses means incorporating these concerns into these structures.
At division and company level is there a named individual who has responsibility for managing digital risk? How are regulatory requirements assessed and who has responsibility for operational compliance?
Have you actively driven a security-conscious culture that empowers employees to make the right digital decisions? Is digital security training part of your induction programme for new recruits? Are there detailed, tested and up-to-date disaster recovery plans in place?
All these questions need to be asked and answered to really get a handle on how vulnerable you are to a cyber attack and on how well your day-to-day operations would stand up to a lapse in digital security.
You can then identify your weak spots and set about strengthening them. At JLT, we take this risk-based approach and can help you formulate and complete an assessment of the different risks you face from these various exposures.
Armed with the results, you can then make a more informed position to evaluate where a cyber policy could transfer these potentially catastrophic risks and fit into your existing insurance programme.
You don’t have to be an IT wizard to protect your business from cyber attacks and digital lapses. But you do need an intimate knowledge of how it operates, who it works with and what data it holds.
Download News Feed
For further information please contact Jack Lyons, Partner on +44 (0)20 7528 4114