'It's not if, it's when': Expert shares how grocers, CPG companies can prepare for a cyber attack

After two separate ransom attacks targeted the Canadian food industry this month, it would seem the sector is taking the threat of cyber crime more seriously.

Maple Leaf Foods admitted it was dealing with a cybersecurity incident on Nov. 6, while Empire Company Ltd., the parent of Sobeys and IGA, has remained tight-lipped about the causes of its systems issues, only releasing a statement on Nov. 7 that acknowledged it had “been impacted by an IT systems issue.” 

However, the Journal de Montreal reported Empire had received a ransom demand of 500 bitcoin to end its problems, and a CBC report this week citing Empire employees seemed to confirm the company's problems were the result of a ransomware attack, though it declined to comment to the CBC. 

Speaking with Canadian Grocer, David Greenham, vice-president for cybersecurity at business consulting firm Richter, says there’s little doubt that both cases were ransomware attacks.

“When companies say that their systems are offline and it's disrupting their ability to do business or to serve their customers or whatever, these days, that's generally what it is,” he explains. 

Not long ago, cyber crime in the Canadian grocery sector was about the theft of credit card information. But cyber criminals today are more likely to use skilled hackers to take control of key computer systems, effectively holding part of the business hostage until a ransom is paid. Until now, the most high-profile cyber attack to hit the grocery sector occurred at the American division of meat packer JBS last July, which reportedly ended up paying $11 million in ransom. 

But these Canadian attacks should be a wakeup call to grocers and CPG businesses to take steps now to hopefully prevent — or at least mitigate — the damage from a ransomware attack. And that preparation starts with what is the weakest link in most companies: employees. 

“If the ransomware – assuming it's ransomware – came in through a phishing email, an employee must have clicked on the link, which downloaded the malicious payload or something like that,” Greenham says. (Indeed, the CBC reported this week that is exactly what happened at Empire.)

While almost anyone spending any time in an office in the 21st century has heard some warnings about suspicious emails, it still happens – probably more than you think. 

Greenham says when Richter runs tests at businesses, even those with “mature” cybersecurity training, protocols and procedures have a click rate for dangerous emails of 4%. “The click rate at less mature companies — if you're just starting out and you haven't done awareness before — can go up to 30%.”

Below, Greenham offers three tips for Canadian grocery and CPG businesses that want to be better prepared to deal with a ransomware attack. 

Start with security awareness

At a minimum, companies need to train employees upon hiring and ideally each year after that. Some organizations will even provide some training every month to keep cybersecurity top of mind, but change up topics every time to keep employees engaged.

Think about your backups

Businesses need to back up their production data – the essential data generated by day-to-day business tasks and processes – and maintain the backups separate from the day-to-day operating network of the business. “Take the backup tapes and ship them off to an off-site storage facility,” Greenham advises. Periodically test your data backups to make sure that you can actually recover from them when needed.

Practice your response to an attack

“Have an incident response plan in place for when you are attacked, because it’s not if, it’s when,” Greenham says. It’s important that key people know what the response plan is and what their roles and responsibilities will be. “Exercise and refine the plan on a regular basis because preparation is essential for a speedy recovery,” he adds. 

For now, these apparent attacks seem more like an inconvenience for the two businesses victimized by the criminals. But the prospect of more or larger attacks on the food industry should be cause for concern and motivate businesses to get serious about the threat. 

The JBS attack was an early warning signal of how the entire food supply chain could be disrupted by cyberattack, Greenham notes. “It kind of brought things into focus,” he says. “It's not just a financial issue, it now becomes a public safety issue.”