Cybercrime in food: Five-step plan for Australian firms to tackle ‘increasingly sophisticated’ security risks

26-Jul-2022 - Last updated on 26-Jul-2022 at 03:54 GMT

Australian food and beverage firms have been urged to implement a new five-step to-do list endorsed by the National Australian Bank to minimize their risk of financial and data security losses. ©Getty Images

Related tags cybersecurity Australia

One of the biggest cyber security attacks in recent history happened to Australia’s largest beer brewer Lion in 2020, when all of its systems were forced to be shut down after it was first hit with a round of ransomware and then a further round of attacks that basically paralysed its IT systems.

In 2021, the world’s biggest meat processor JBS Foods fell victim to another ransomware attack which shut down its global operations for almost a week and left it held for ransom by Russian hackers, with several of its Australian operations disrupted as well.

According to data from the Australian Cyber Security Centre, cybercrime leaped by 13% in 2021 with Australia’s food supply consistently being a target of attack, and to mitigate these large institutions with financial security expertise such as the National Australian Bank (NAB) are now urging food and beverage firms to take more proactive steps to avoid falling victims to attack.

“Some A$33bn in total has been reported in cybercrime-related losses, with over A$30,000 of this experienced by medium businesses,” NAB Senior Consultant Group Security Tessa Bowles told the floor at the recent Food South Australia Summit 2022.

“We have consistently seen the use of emails with malicious links or attachments continue to be the most common initial infection vector [despite multiple warnings and instructions to prevent this], but increasingly more sophisticated methods are also [coming into play].

“Credential phishing (where hackers attempt to steal user credentials by posing as a trusted entity via a communication), SMS phishing and social engineering tactics such as phone scams are becoming more and more common.

“Within businesses, business emails are bring targeted to send malicious messages to the victim’s address book, to intercept payment details, to make fake payment requests, and another [interesting yet somehow effective] scam is CEO impersonation, where a hacker writes to a target victim pretending to be the company CEO and requesting critical financial information.”

With the rise of these multiple cyberattack tactics in circulation, Bowles encouraged Australian food and beverage businesses to safeguard their data and their finances to minimize their risks of falling victim as much as possible.

“In addition to following the Essential Eight model of securing your business in order to ensure it is not only equipped to handle an attack but also to contain, respond and recover [from any potential infiltration], there are Top Five to-do’s that should be followed as well,” she said.

“The first step is always to implement the Essential Eight steps, the second is to turn on multi-factor authentication (MFA) and software auto-updates, the third is to turn on Segregation of Duties (a principle that essentially separates critical duties between different staff to ensure that no one person has the data or access to cause irreparable damage), the fourth is to back up data, and the fifth is to educate the entire team within your business about these risks.”

Training and education essential

Even in food and beverage businesses where cyberattacks may not be top of mind as opposed to production and product innovation, all members of a team need to be taught about the risks and ways to spot these as the consequences can be significant, as has been evidenced by the happenings at Lion and JBS.

“All staff need to be trained to identify the red flags of suspicious messages [as] they are often the first line of attack/defence, so whether it be via webinars or professional training, they need to be brought up to speed,” said Bowles.

“Passwords have been identified as another weak link – using different passwords for different logins and differentiating between say personal and business accounts would in itself be a big deterrent, [but] research has found the top five passwords of 2021 to be easy guesses, namely: 123456, 123456789, querty, password, and 12345.”

The risks are increased further when it comes to high-tech food production technology usage – earlier this year, a South Australia-France-Saudi Arabia study highlighted that the use of smart sensors and systems in crop monitoring and management was opening up the food system to more cyber attacks.

“We should not overlook security threats and vulnerabilities to digital agriculture, in particular possible side-channel attacks specific to ag-tech applications,” said study researcher Dr Saaeed Rehman from South Australia’s Flinders University.

“Digital agriculture is not immune to cyber-attack, as seen by interference to a US watering system, a meatpacking firm, wool broker software and an Australian beverage company.”