Cyber attacks aren’t just a vague concept, they’re a very real threat facing food and drink businesses around Australia. Businesses large and small must begin to look at cybersecurity from the inside out. Ajay Unni, founder of StickmanCyber, writes.
Cyber attacks are costly, with destructive/wiper-style attacks costing businesses an average of $4.52 million and ransomware attacks an average of $4.44 million. Even the average malicious breach costs an average of $4.27 million and the average data breach $3.86 million.
Despite this, a large number of food and drink businesses remain uncertain and fearful when it comes to setting up their own cybersecurity processes. Cybersecurity is often pushed to the bottom of the to-do list, always competing with the fast-paced nature of the food and drink industry.
It is no longer just the perimeter of a business that is vulnerable to attack, since a simple email can carry a malicious link that can launch a company-wide ransomware attack.
In the case of ransomware attacks, businesses are bought to a standstill, with hackers expecting a ransom to be paid before data is released. Victims are brought to their knees and forced to pay up - or risk losing their entire business, data and reputation.
While ransomware is undeniably deadly and unpredictable, organisations regularly become victims, thanks to their own lack of basic security controls. Most ransomware attacks are a result of phishing emails, compromised passwords to networks and open and unmonitored network or infrastructure - all things that can be secured against with proper cybersecurity processes. By not putting the right precautions in food and drink businesses are risking their reputation, finances and livelihood.
Thankfully, there are a few simple steps that businesses can put in place to help better protect themselves from cyberattacks. Firstly, get your passwords in check. Passwords should be rotated at the very least every 60 days, although every 30 days is even better. To make them even harder to guess, passwords should be at least eight to 10 characters long, have at least one number, one capital letter, and one special character, such as one of the following: ‘!@#$)’.
Multi-factor authentication (MFA) is the next step up from mere passwords. MFA adds an extra layer of security by using two or more pieces of evidence to log in to a single location. Some common examples of MFA include an SMS message, phone call, or authenticator app to verify a browser login. Other verification factors could include personal questions, a physical object such as a security token or bank card, or fingerprint, face, or iris scanning.
Changing passwords and implementing MFA is great, but it won’t help if those passwords and special answers are being shared between multiple members of staff, with the potential for them to be leaked.
Instead, every staff member should have their own accounts with their own unique user ID and password, so that there is no need to share passwords between staff members. Any shared accounts should be removed and replaced with individual accounts, and each individual account should have its password updated regularly.
The same should be true of any external IT support staff, who should each have a unique ID and password with MFA enabled. This means that every time someone accesses your network, you can log and track exactly when, where, and who it was accessed by. This will not only keep your own business records safe, but will keep your customer’s sensitive information safe and secure too.
With food and drink businesses so heavily reliant on IT systems, including navigation, tracking, supply chain, financial, ordering and inventory, it is no longer sufficient to simply install a firewall and hope for the best. The industry must build its detection, response and recovery capabilities along with strong governance, training, awareness, and security testing. In short, weak spots must be identified and eradicated before an attack occurs - not once the damage has already been done.
Ajay Unni is the founder of StickmanCyber, a business that helps companies mitigate their cybersecurity risk. He is part of the 2020 NSW Government Cyber Security Task Force, a group of experts tasked with accelerating the adoption of cybersecurity across Australia.