Skip to main content
What can we help you find?
main content, press tab to continue
Article | Managing Risk

Food and drink manufacturers: Is your business low-hanging fruit for cybercriminals?

June 17, 2022

How can you protect your business and present your risk more compellingly to insurers and supply chain partners?
Subscribe
Risk and Analytics|Risk Management Consulting
N/A

Food and drink manufacturers are under increasing pressure to modernise their cybersecurity. Attacks such as last year’s targeting of the world’s biggest meat processor, which saw it pay a multi-million dollar ransom after a cyber attack shut down operations, have prompted many food and drink manufacturers to address their approach to cybersecurity1.

In common with other manufacturers, food and drink operators may well be playing catch-up on cyber, perhaps one of the reasons why recent research indicated manufacturing companies are the most likely targets of these types of attack2.

Why might food and drink manufacturers be falling behind on cyber security?

Unlike other sectors long galvanised into cybersecurity action by regulation, such as financial services, or the high volumes of personal information they handle, such as online retail, food and drink manufacturers have not been led by the same imperatives.

This in turn has led to comparatively lower capital investments in cybersecurity in some businesses. Historically, this was justified by the lower probability of being targeted and under the assumption their businesses lacked the data most prized by attackers. But with food and drink manufacturing technology changing, and with an increasing convergence of the Information (IT) and Operational Technology (OT) environments, cybercriminals too have changed their methods of attack to include ransomware and extortion techniques.

Previously, the production line (OT) would have been largely independent from the IT environment, which would have meant that even if there was malicious activity in IT, production could continue. Paying attention to the growing convergence and integration of IT and production environments, food and drink manufacturers are often perceived to be less mature in establishing and maintaining the required security controls between both operating spaces – potentially providing a perfect opportunity for attackers to target businesses considered ‘low hanging fruit’ when compared to those earlier industry examples.

Operational performance prioritised over security

With increasing innovations in technology, including use of automation, the harnessing of AI and the deployment of Internet of Things devices now common place in the food and drink sector, there must be a heightened emphasis on cyber security, a slight step change for an industry whose operations more traditionally focused on performance and safety. In some cases, these new technologies and operating environments are being implemented, operated and managed not necessarily by cybersecurity experts, but by manufacturing specialists or an IT function that doesn’t specifically own cybersecurity within the business.

These scenarios create both a system environment with a large attack surface and significant vulnerabilities, so perhaps it’s little wonder food and drink manufacturers may find themselves identified as potential soft targets for cyber attacks.

How are underwriters’ view of food and drink manufacturers’ cyber risk changing?

While once manufacturers may have been perceived by underwriters as having a lower risk profile than purchasers in sectors such as finance and retail, this is increasingly less likely to be the case. Insurable food and drink operations may find they struggle to secure cyber cover, particularly when compared with peers with more advanced more advanced approaches to cybersecurity.

These same peers are also likely to represent a more compelling proposition to potential partners along the supply chain. Demonstrably effective cybersecurity, including the ability to present your cyber risk as insurable, helps show partners you’re less likely to be a weak link in the chain.

What steps can food and drink companies take on cyber

There are cybersecurity steps food and drink manufacturers can take without feeling overwhelmed or concerned at the prospect of prohibitive investment.

Thinking about this in broad stages can be helpful, with the first step being to identify your mission-critical data and systems. What are the systems and machines you need to protect above all others to keep operations on-track to meet existing customer demand?

Next, assess the strength or otherwise of the security around these prized assets before prioritising what steps you might take to reduce their vulnerability to attack. This could lead to moves such as segregating data depositories, tighter user access controls and broader cybersecurity measures and controls layered throughout your computer network.

Upping your resilience to cyber attacks will also involve creating plans to constantly tests the efficacy of your controls. This will likely demand funding and support by people with the right expertise but also at the appropriate seniority to ensure cybersecurity is owned at a strategic level.

If you don’t have all the answers, either for an underwriter or a potential partner seeking assurances regarding on your cybersecurity, then you should consider working with internal or external experts to understand what you don’t know and start building a full picture of your vulnerabilities and how to effectively reduce and manage them.

How can WTW help?

To understand your food and drink manufacturing business’ potential vulnerability to cyber attack or to work with experts to close the gaps, please get in touch.

Footnotes

1 https://www.theguardian.com/business/2021/jun/10/worlds-biggest-meat-producer-jbs-pays-11m-cybercrime-ransom

2 https://www.zscaler.com/resources/white-papers/threatlabz-ransomware-review.pdf

Contact

Sue Newton
GB Food and Beverage Leader
email Email phone +44 7946 421 507
Related content tags, list of links Article Managing Risk Risk and Analytics Risk Management Consulting Food and Beverage Leisure and Hospitality Retail United Kingdom

Related Capabilities

Food and Beverage
Retail
Leisure and Hospitality
Risk Management Consulting

Related Services

Property Risk Engineering Practice

Our Property Risk Engineering Practice consists of highly trained risk engineers who are able to identify and evaluate key risk exposures and the adequacy of controls in relation to your property.
Health and Wellbeing Practice

The Health and Wellbeing Practice can support your business in preventing harm to psychological health and safety and promoting workplace wellbeing creating a healthy and productive workplace.
Transport Risk Management Practice

The Transport Risk Management Practice can provide guidance and support on both proactive and reactive fleet risk management techniques.
Claims Defensibility and Regulatory Practice

The Claims Defensibility and Regulatory Practice specialises in developing and implementing defence strategies to help your business avoid or defend regulatory action and personal injury claims.
Risk & Resilience Advisory Practice

Our risk & resilience advisory team can help your business evaluate your risks at both an operational and strategic level.
Health, Safety and Environment Practice

The Health, Safety and Environment Practice can provide guidance and support on the management of health, safety and environmental risk within your business.

Related Insights

See all insights
Survey Report
Complex Manufacturing Supply Chain Risk Report 2023
Article
Don’t let a rogue supplier damage the reputation of your food and beverage business
Report
Managing Global Risks and Opportunities in the Food and Beverage Sector
Survey Report
Food, Beverage and Agriculture Supply Chain Risk Report 2023
Survey Report
2023 Global Supply Chain Risk Report
Survey Report
Global Food & Beverage Survey Report
Article
Health and safety is our top priority: Six ways to ensure your approach is more than lip service
Contact us