Even with advances in artificial intelligence and technology to enhance online systems and communication, preventing and surviving a cyberattack still comes down to the human factor.
That was the consensus cybersecurity experts and fresh produce leaders during an April 26 panel at the Canadian Produce Marketing Association’s Convention and Trade Show. While more businesses employ advanced cloud-based communication systems, the top priorities critical to safeguarding against a cyberattack include preparing, auditing and educating the entire company and its supply chain partners, according to the panel discussion.
Two fresh produce producers — Erik Larsen, senior director and head of information technology at Duda and Sons, and Kevin Potter, director of information technology at L&M Cos. — shared lessons learned from having experienced a security breach. Additionally, cybersecurity experts Greg Gatzke, president of ZAG Technical Services, and Sem Ponnambalam, president and co-founder of cybersecurity firm Xahive, shared insights in an eye-opening discussion moderated by Oppy Vice President of Operations Steve Roosdahl.
Three cybersecurity facts you need to know in produce
1. Include cybersecurity in your business plan
After Duda and Sons recovered from a 2022 attack by a Russian state-sponsored organization, Larson was able to use the incident to evaluate what was working and what needed to be improved within the entire company.
“It gave us a lot of opportunities, not just from an IT standpoint, but from an operations standpoint, to learn what we can do better and to go through our business continuity and disaster recovery plan,” Larsen said. “It’s been a great learning lesson for us to polish up our business continuity and disaster recovery planning, which is pretty critical.”
Ponnambalam agreed that integrating a security plan was critical in today’s environment.
“Cybersecurity should be a part of your business continuity plan; it shouldn’t be something separate or just one component. It should be part of your business continuity plan along with disaster recovery,” Ponnambalam said.
2. It’s not if, but when
Gatzke at ZAG Technical Services emphasized that produce business of all sizes would benefit from evaluating its operation and security systems. He suggested taking stock before a threat occurs.
“It’s important to realize that people think, ‘my business is too small, that cyber criminals are not going to come after me.’ These guys are coming after grandmothers. They’re targeting large corporations and small corporations,” said Gatzke.
Still, businesses often still react with embarrassment when they are attacked.
“That is the exact wrong attitude,” Gatzke said. “We have to be transparent and share our experiences because it’s us against them, and we have to be better together.”
3. Share education and training with your entire organization
It’s not enough to have a robust IT plan and team in place; the entire company plays a role in safeguarding against threats.
“You may have amazing technical systems in place, but if your organization outside of IT doesn’t know why cybersecurity is important, then you’re going to have continual issues,” Ponnambalam said. “Most of the time a lot of breaches happen internally and within their supply chain. Over 90%. Education is important.”
Preventing and recovering from a security breach
“Ultimately, there are 100 different ways [cybercriminals] can get to you,” Gatzke said.
To prepare against an attack, the panelist recommended taking these preventative measures:
Have a plan in place: Walk through what you would do to recover from an attack, designating roles, responsibilities and communication contingency plans.
Make sure you educate everyone in your operation – including your supply chain: Talk through your cybersecurity best practices and recovery plan with everyone from C-suite to warehouse. Ask supply chain partners what steps they are taking for cybersecurity within their organization.
Perform an audit: Security fire drills where the entire company’s operations rehearse what steps they would take in the event of a cyberattack is key to not only setting expectations, but it also will help stakeholders at all levels in the organization take responsibility in their roles to prevent and survive a breach, the panelists said.
Identify your resources: Ask yourself who will you turn to for help in the event of an attack?
“The moment you realize that you’re compromised, you enter this world where it’s a ticking time bomb. It feels like you don’t know who’s out there and how active they are and what they have access to. So basically from that point forward, it’s cloak and dagger,” Potter said.
Having expert relationships already in place is key.
“When it came time, we called on the experts,” Potter said. “It’s not one-size-fits-all; every business is different … It’s a different story for everyone when it happens. [Get] people together beforehand that can help guide you and create a plate of options [for your situation].”
Cybersecurity resources for the fresh produce industry
A produce industrywide effort to combat against cybercriminals and safeguard the produce supply chain is happening at Producesupply.org. The cross-industry effort that includes professionals from 10 produce companies in the U.S. and Canada has created a cybersecurity council whose objective is to create best practices and tools to empower produce companies to defend and protect against ransomware and cybercriminals.
One tool the cybersecurity council created was a set of actionable best practices, available to everyone for free.
Related news: Is your produce business prepared for a cybersecurity attack?
“The U.S. government comes out and says, ‘here’s how to protect yourself,’ and of course they do it in the government way. They got a list of 150 different things to do … which you can’t understand when you read it,” Gatzke said. “What the PSO did is they came together, and they say in plain English what to do.”
Join the conversation and learn more about the PSO’s best practices at producesupply.org.
