Advisor Sumit Bhatia on how to deal with cyberattacks
Is generative AI likely to increase the frequency and severity of cyberattacks?
GenAI’s effect on cybersecurity is quite significant. It has the ability to replicate social engineering at a high level ... So, when you receive an email that’s being generated by a GenAI tool, it can be so close to a human writing it that it’s hard to review. Also, the frequency and volume of the attacks it can generate is quite high. The way it collates data is quite significant. But, I’m cautious of talking about GenAI as just a threat because these tools are also able to combat some of these issues. So, generative AI is also being used in cybersecurity tools to provide security analysts with some incredible strategies and tactics.
READ: Expert shares how grocers, CPG companies can prepare for a cyber attack
How can a grocery company manage third-party cybersecurity risks?
Ask questions when you're engaging with those third parties. What kind of cloud environment are they going to store your data on? What kind of monitoring technologies do they have? All of that is extremely important to know. From there, figure out where their responsibility ends and a retailer’s responsibility starts. You have to constantly interact with your third-party [vendors] and your procurement bodies to know what changes are being implemented in their systems, because they're also continuously engaging new technologies and it’s hard sometimes to keep an eye on them. So, building a service-level agreement with them where it becomes their responsibility to update their clients and their customers on these things is quite critical. And then, of course, having clarity on their processes when they engage with new technologies and understanding how they manage operational risk.
Should grocery companies customize cybersecurity training for different staff levels?
Absolutely. Cybersecurity is something that must be incorporated in all parts of the system. So, for instance, in a grocery store, you've got systems for things like inventory control, employee databases and time sheets, check in and check out [and] point-of-sale systems. One of the biggest, I think, errors a lot of retail ecosystems make is they grant blanket access to all systems when employees don't necessarily require that.
The other part I'd say is [retailers are] using multiple SaaS applications. They should have a better idea of who's responsible for configuring those applications and for the security of those applications [and] because a lot of that data sits in a cloud environment, retailers have to know whether they're responsible for it or the cloud provider is responsible for it. And then I'd say configuring and managing control on the point-of-sale systems because that is where the transaction is taking place. So, they should think about how to implement the right controls.
READ: The battle against retail theft and loss
How can organizations engage employees around cybersecurity in a way that isn’t intimidating?
Don’t start from a place of fear, but build a culture of support. I think employees, when they're scared around their actions, they tend to make more mistakes. The first thing is starting with basics like multi-factor authentication or if you're bringing your phone to work having policies around how you manage your devices at work. The other piece is tailoring training to certain roles. So, somebody in finance can understand how cybersecurity affects them differently than somebody who is, let's say, standing and operating a point-of-sale machine. The other things we're seeing is gamified learning experiences. So, running security awareness training in a fun and engaging way versus feeling like [employees are] going back to school. The other piece we find a lot of success with is building a culture where they feel confident reporting something even when they're not sure. So, it doesn't have to be an attack or it doesn't have to be something that's gone wrong, but feeling confident to say, “I suspect something or I'm not sure of something” and building a path around that so they're rewarded for flagging an issue.
When it comes to cybersecurity, what should be top of mind for grocers and CPGs?
I always come back to education as the dominant thing. In the retail sector, folks still think of cybersecurity as a winter tire. They think, "Hey, I can put it on when I think it's important." I think about cybersecurity as the wheel itself and just making that shift to say this is the foundational component of our technology ecosystem. This is not an add-on. This is not a Band-Aid. This is not a secondary set of tools. This is built into how we structure our systems and the operational framework. That's incredibly important. And from an education perspective, recognizing the impact of cybersecurity is not just a breach on the system, it holds a financial risk, a reputational risk. When you see the risk is across the organization's operations; you start thinking about cybersecurity differently. That would be my biggest takeaway—reframe the conversation around security as a big part of your strategic operating framework and not technology.
This article first appeared in Canadian Grocer’s June/July 2024 issue.