By Lisa Lupo
Food manufactures should evaluate hacker risk like they do all other risks in their business: evaluate the likelihood and severity of a potential occurrence, said SafetyChain CTO. Ask your provider the same questions about their security that a food auditor might ask you about your programs:
- Do you have a policy?
- When did you last apply the policy?
A cloud service provider that can answer all three demonstrates that it has mature IT processes and is likely a good option, Woehl explained, adding, too often a vendor audit will simply ask, “Do you have a policy for XYZ,” but it doesn’t ask for proof it has been applied.
While the risk of compromised food safety and quality data of a traceability system is low for companies who act in good-faith compliance with their internal food safety program protocols and regulations, he said, public exposure of food safety practices or communications that are less than favorable could lead to brand risks for a company. For example, one foreseeable threat scenario assesses a “hacktivist” looking to expose questionable practices, with the hacker gaining system access and encrypting all the data, then holding the decryption keys for ransom. They may say, “Pay us money or we will not unlock your data and your inventory will spoil and you will lose hundreds of thousands of dollars,” he said.
“Far and away the biggest hacker risk is social engineering,” Woehl said. It is far easier for a hacker to trick an employee into exposing a password than it is to “hack” into a secure computer system. A good employee-training program that warns about social engineering ranging from phone calls to email fishing can go a long way in preventing undesired access to data. Additionally, good IT policies around passwords, user accounts, and handling private data can go a long way in protecting a company.