0:03
Good morning, everyone, and welcome to today's webinar, which is on strengthening cyber security in food and drink manufacturing, which is brought to you by our affiliate members, RSN.
0:13
First of all, thank you to everyone for coming today. We hope that this content is useful.
0:17
We will be doing a Q &A at the end of the webinar, so please put any questions that you have into the questions box, and we'll do our best to go through as many as we can at the end of the session.
0:26
We'll also be doing a few polls during this webinar, so please do put your answers when the polls come up on the screen and a follow-up webinar will be sent to you in article or email in the next couple of working days and this will contain a recording of the webinar, a copy of the slides and the contact details of today's presenters.
0:42
So without any further ado I'll hand you over to our host for this webinar Stuart McCallum.
0:47
Thank you very much Luke. If you can just move on to the first page. Perfect.
0:52
So yeah today we're going to have a on strengthening cybersecurity in the food and drink manufacturing space.
0:59
I think it's very topical and relevant for attendees today.
1:05
So let's crack through.
1:06
We've got Uptown Hour, and hopefully we can cover, as you say, the Q &A aspects as well.
1:13
So we'll just go straight on to introductions.
1:19
So yes, some mugshots, quite literally, of us today.
1:24
So my name's Stuart McCallum.
1:25
I'm a partner based in our Glasgow office.
1:29
Throughout my career, I've spent a lot of time supporting food and drink businesses of all shapes and sizes.
1:35
And I was also delighted last year to be asked to join the board of Scotland Food and Drink as a non-executive director.
1:42
So that's given me even more insight into certainly what's growing the sector north of the border, which, as I see it, is no different to the rest of the UK.
1:52
And as part of my day job, I spend quite a lot of time with our larger food and drink businesses across the UK and also interact with our international practice, particularly areas where the UK is exporting lots of food and drink.
2:07
So they tend to be USA, Germany, France, Australia, some examples.
2:12
So yeah, lots going on and I'd like to say I've got Richard and Majid from our technology and cyber team who will introduce themselves when I pass over to their section of the presentation.
2:25
So as I say, hopefully today I think is super relevant.
2:27
We'll be insightful and give you some good tips on what certainly the conversations I'm having with food and drink clients is a hot topic at the moment.
2:36
And is one that they want to understand how can they prepare the defenses and what do they do if something does happen in a cyber aspect.
2:46
Okay, so next slide. Look, just run through a bit about who we are and what we do.
2:53
So just on to the next one. Look, thanks. So we are not one of the big four.
3:00
We don't plan ever to be one of the big four. We sit in the tier just below.
3:04
We've got a large UK practice, large international practice. Food and drink sector for us is very important.
3:10
It's very regional, diverse as well.
3:12
So, you know, as I say, we are regionally spread throughout whole of the UK.
3:17
We cover Northern Ireland and Ireland as well within our UK group and as I say we've got that international aspect covered also.
3:25
So next I look and to I guess try and simplify what we do we cover basically audit tax and consulting.
3:37
Audit I guess is what it says on the tin and we work with some of the largest food and drink businesses delivering that service to them.
3:46
Tax is covering every conceivable and inconceivable as a tax landscape becomes ever more complex.
3:53
UK aspects, particularly relevant for food and drink businesses, kind of R &D and capital allowances.
3:59
And like I say, we're supporting quite a lot of you with making sure you're maximising these reliefs.
4:05
And as you're aware, HMRC's terms and conditions approach to tax in general keeps getting tighter.
4:13
So what we do is we make sure we're protecting our clients from that tax risk and also making sure they're maximizing the available reliefs for them.
4:23
The final third of our business is consulting and that is where we are helping our clients I guess with what's the problem and we will find a solution for them and that can range from delivering deals of which we'll have a webinar later this year with Food Bank Federation on the kind of M &A landscape.
4:43
It can also be where a client is looking to transform their business, or in general supporting them with maybe a secondment or resource and the like.
4:53
So that's an area where we're looking for what's the problem and we will find a solution.
4:58
So we're going to the next slide.
5:00
Look, I'll just break down the six solutions that we go to market with.
5:06
A restructuring team, I guess that's relatively straightforward. That's what it says in the tin.
5:13
It remains quite flat in terms of activity, which I think is a good sign that, you know, even though I don't think the economy is doing particularly brilliantly at the moment, the amount of stress in the system is not excessive.
5:28
Forensic and investigation services, that has been busy.
5:31
That's where maybe there's been a problem in a contract or something has gone wrong, there's been a fraud, and that team can go in to find what's happened and explore the landscape.
5:42
I guess the common theme for these solutions in front of you are that technology is the common thread throughout them.
5:50
So each of these, we're using a range of digital and technology tools to support and assist.
5:56
And I think that's just going to go one way. There's going to be more technology, more tools available for everyone to be using.
6:03
AI is rapidly emerging as well, which we are heavily involved in testing and exploring how How can that help our own business and how can it help our clients' business?
6:12
Business transformation is where an organisation is looking to make up a fairly fundamental change to either its operating structures, its strategy, how it's embracing technology, and particularly around data analytics. That's in high demand at the moment.
6:28
Risk and governance, I guess, is a flip of growth.
6:32
There's always risk and governance, as you will know, across the food and drink sector.
6:37
particularly just keeps getting more and more so making sure we're keeping our clients on the right side of the governance need is important to us and within that we have Richard and Majid in our cyber and technology team and again they will explain more about that but let's just say they're in high demand at the moment I think given the skills and given the context I think a lot of that cyber risk you know the more you're embracing technology and digital then potentially the higher the risks become.
7:06
Finance function support is really anything within that finance function we can help with, whether it's from a compliance, whether it's from a technical accounting, whether it's enhancing the information flow.
7:19
So for example, board packs, reporting packs, we've got tools that can produce them more efficiently, more effectively, more visually.
7:27
We're also looking at automation and reconciliation tools, which tends to be a potential challenge for a lot of clients when you get mass amounts of data and your team can't cope with the volume, keeping your reconciliations up to speed.
7:42
We also look at, I guess, software system, software selection in terms of what's the optimum finance system for you, how can you make that better given the constant change in that technology landscape.
7:56
And final solution is deal services, which again, we're seeing quite an uptick in that.
8:01
and so that's looking at either your kind of M &A process, buying and selling a company and alongside that the kind of financial diligence that would go either buy side or sell side.
8:13
Certainly seen a lot of activity across the food and drink space and I think the changes to the business property relief for family businesses may accelerate some exit plans.
8:25
So again that's an team that's focused very much on the the food and drink sector in terms of what's going on and how we can we can help. So going to the next slide look if that's okay.
8:41
So this is just a little overview I guess in terms of what I'm seeing clients talking about what they're seeing on the horizon.
8:50
I think given you know the popularity of UK food and drink international markets remains is very prominent in the thoughts in terms of, you know, am I in an international market?
9:00
How do I further enhance the scale of that?
9:04
Or how do I access international markets?
9:06
Clearly the world has been taken by Mr.
9:11
Trump since January and tariffs and how he's using that as a tool has been very evident.
9:19
Equally, the UK has entered into a number of trade agreements and particularly from certainly north of the border, the whisky sector is very excited about the Indian trade deal and what that may do to that market in terms of selling work into it.
9:37
I think investment planning, certainly clients are talking about what do they plan, how do they automate production lines, how do they enhance, how do they scale up, what does that look like?
9:49
And the funding they're off with, I guess that interest rate environment is still kind of mixed and varied.
9:57
Risk and regulation, a lot of clients preparing for some of the new regulations coming down the track, you know, the potential deposit return scheme, you know, the packaging scheme, potential changes to sugar tax, which are always on the agenda.
10:13
And I guess just across, you know, the food and drink sector, it seems to be popular for more regulation, unfortunately.
10:21
That amity activity, again, we're seeing quite a lot of clients looking at either selling the business or looking to buy, further increase the range of products that they're able to sell down their sales channels.
10:34
And I think consumer demand remains interesting.
10:38
And I guess that's what drives a lot of the innovation in the sector.
10:41
What is it the consumer wants to eat and enjoy and drink?
10:44
So, you know, I don't think that's going to change in the in the near term.
10:49
We do a range of kind of economic analysis and forecasts.
10:53
Always happy to have my colleague, Tom Pugh, who's our UK economist.
10:58
He's given me some kind of tips to drop into there, some perspectives.
11:03
And I think the landscape is is really challenging.
11:07
The GDP growth remains variable.
11:11
You know, some of the headlines this morning about GDP growth slowing from Q1 to Q2.
11:16
I think the rest of the year just feels very difficult to forecast in a very positive way.
11:22
I think there will be some small GDP growth it looks, but certainly it's not accelerating as rapidly as I think the government would like to see.
11:31
Are more tax rises coming? Certainly there's been an avalanche of tax rises from the last budget.
11:38
Certainly all the messaging seems to be indicating that there are going to be more taxes coming and we will wait and see what that looks like in the budget in October.
11:49
I think it's fair to say that inflation is stubborn and particularly headline inflation is stubborn but food price inflation is certainly still ahead of that headline inflation which just doesn't make it any easier for you guys to be selling your product given all the different costs you happen to absorb and then trying to pass that through to UK consumer.
12:11
Interest rates, the direction of travel, again, you know, the recent vote was very split.
12:15
I think it's the first time they've had to have a second vote.
12:19
So, you know, I think the direction of travel is down, but how quickly it certainly looks if it's going to be slower than maybe it was initially expected.
12:28
That wage inflation in the industry, certainly, you know, clients I'm talking to are still struggling to fill roles with the right skills and having to pay kind of relatively premium rates to get the right people.
12:42
And again, I think that hopefully the messaging is that that economic growth just starts to solidify and improve through the rest of this year and into next year.
12:52
But certainly the headwinds out there with all of the international aspects that are going on in the world doesn't make it any easier for certainly you guys on the call and members of Food and Drink Federation to plan your business and keep it growing.
13:06
But I know you'll do a great job.
13:08
And ultimately, you know, UK consumer and international consumer who love the products you make.
13:14
We need tea and drink.
13:15
So, you know, there is, I think, opportunities for you all moving forward.
13:20
So we're going to the next slide.
13:26
Yeah, so just on to the polls, if we can start them, look, that would be fantastic.
13:33
So, yeah, the first one is how confident are you in your organization's current cybersecurity measures?
13:38
So if you can all answer that question, that'd be good.
13:43
That helps to set the scene or allow the guys to understand the context of the audience today.
14:00
And we'll unveil the results after we've gone through each question, if that's okay.
14:09
So we've got the next question.
14:13
Yeah, what is your biggest cybersecurity concern right now?
14:52
How often does your organization conduct cyber risk assessments?
15:13
Thank you Luke. I think the final one.
15:18
When was the last time the business undertook a desktop test around cyber instant response?
15:42
Thank you Luke. Can you go back and, oh hold on, can I, I can see that, I've got it Luke.
15:48
So yes, the first question was how confident are you in your organization's current cybersecurity measures.
15:55
So 87% are somewhat confident.
15:59
So that sets the kind of bar in terms of I suppose awareness in terms of what that looks like.
16:06
Thanks Luke. If you can do the next one, that'd be grand as well.
16:15
Yeah, so again, a clear favourite here or clear favourite topic should I say.
16:21
Ransomware or malware attacks is the biggest cybersecurity concern right now.
16:26
Thank you, Luke. How often does your organization conduct cyber risk assessments?
16:36
We've kind of got, I suppose more than 50 percent is quarterly or frequently or annually.
16:43
Forty percent are not sure how often cyber risk assessment is conducted, so it's quite an interesting slide, that one.
16:51
On the final one, Luke, when was the last time the business undertook a desktop test around cyber instant response.
17:03
So I guess we've got.
17:06
The majority are probably more that are 12 months or greater or not done and 17% of them in the last three months.
17:14
So top of the class to to you guys.
17:16
So some really interesting, I think, whole responses.
17:21
And I think without further ado, I'll pass over to the guys to run the rest of the slides.
17:28
I'll join back in later in terms of a Q &A session for the members of the audience today.
17:34
So thanks for your attention so far, and over to Richard and Majid.
17:42
Good morning, everyone.
17:43
Just a short intro from me, I am Richard Curtis, a director in RSM's technology and cyber risk assurance team.
17:51
So we do things from cyber security and governance, cyber risk assessments, all the way to offensive of security ranging in things like cyber attack simulations, cyber incident response exercises, some of which we'll touch on today throughout the presentation.
18:10
I've spent around 25 years in various roles in IT, going from being a roaming IT support engineer to managing IT environments and advanced firewall support.
18:20
And I'm a certified ethical hacker.
18:22
So good to be chatting with you today.
18:24
Over to Majid for a short intro.
18:27
Good morning, everybody. Hi, my name is Majid Ali. I'm one of the associate directors at RSM.
18:33
I work closely with Richard and the team to kind of help our customers understand the cyber threat landscape and help them understand what mitigations and controls that they can place to kind of mitigate against the threat that they're facing from adversarial groups or nation-states or e-crime groups.
18:51
I come from a background where I've supported public sector organizations and and other international governments in helping them dissect some of the tactics and techniques being leveraged by adversaries to gain access to sensitive networks and data within their respective governments.
19:12
Thanks, and you can move to the next slide.
19:15
So on the agenda today, we'll take you through the current cyber threat landscape, understand what we can learn from cyber attacks, how to navigate third-party risk, And then finish off with some cyber considerations.
19:29
Next slide, please, Luke.
19:34
So the current cyber threat landscape, if we look at the cyber crime impact, it was projected to reach around 8.5 trillion pounds globally by 2025, and we're on track to surpassing that.
19:48
It's growing at 40 percent year on year, and it's been ranked the fourth current most severe risk by the World Economic Forum.
19:58
Targeting trends, no industry is immune.
20:03
It's industry agnostic, food and drink included, and specifically vulnerable through complex supply chains and third parties, some of which we'll delve into deeper throughout the session as well.
20:15
And why is your sector at risk?
20:18
Because of the diverse interconnected operations.
20:21
you hold valuable business and consumer data.
20:26
It's highly sensitive to operational disruption and cyber criminals know that with operational disruption will include a loss in sales and an increase in revenue for themselves.
20:39
Next slide, please.
20:42
If we take a look at the current evolving cyber risk landscape, there are many different avenues, rising connectivity, complex supply chains, reliance on automation really means that the food and drink sector faces increasing cyber threats, things that can hold production, damage brands, and also impacts on your consumer trust as well.
21:05
So with regards to social media, brand damage, fake promotions, also phishing emails that are targeting staff or customers.
21:14
If we look at the Internet of Things, there's things like smart sensors, refrigeration and production systems.
21:22
These are all vulnerable to hacking due to the non-standardization of patching and security maintenance and are generally avenues into an adequate infrastructure.
21:33
Internet transactions subject to payment fraud, supplier invoicing interception, big data Analytics, theft or manipulation of production sales or consumer data, very attractive in selling data on the dark web for cyber criminals.
21:54
Robotic process automation, so disruption or sabotage of automated production and even packaging processes, and we've seen numerous accounts of this throughout our work.
22:06
Machine learning, so compromised quality control or demand forecasting through tampered models, mobile working.
22:15
We've seen many instances where device loss or perhaps even insecure connections have exposed operational data, things like secret source, for example.
22:29
Under cloud computing, many times a lot of these cyber attacks in the industry related to misconfigured storage, So exposing recipes, supplier data, consumer data, contract data.
22:43
And then leading on to artificial intelligence, which we'll touch on a bit further down the line as well.
22:49
Deepfakes, AI-driven scans, targeting procurements and executive teams is also the potential for AI to be hacked and also the potential for data to be leaked without the correct guardrails in place.
23:05
So using those chat GPT and other AI tools that you'll find available just to improve somebody's way of working can lead to data being lost.
23:18
So we have to ensure that the appropriate guardrails have been defined. Next slide, please, Luke. Okay, cool. So I'll take this slide.
23:29
So this is the M &S case, a case study that's probably quite relevant to many of us here in the UK.
23:36
Now, what this demonstrated for many organizations, especially in the food and beverages sector, is that what we're seeing is the threat landscape has shifted, right?
23:47
We're seeing that adversaries aren't just coming after you as an organization, they're going after vendors and platforms that you rely on and that you trust as part of your day-to-day operations.
23:58
Now, here's an interesting statistic for you, because last year we saw a surge in supply related attacks and 80% of those attacks didn't require malware to be deployed to an organization and it's interesting because one of the key challenges or the threats many of you raised during the poll was that you see malware and ransomware being a threat to an organization but what we're seeing is that threat actors are adapting their techniques and they're using stolen credentials and legitimate tools that you use every day to gain access to your environments and your data.
24:39
Now, the threat actors are moving with great efficiency and great speed, right?
24:44
We, as an industry, we measure what we call breakout time.
24:48
So this is where an adversary is able to gain access to a system and then laterally move across that network to gain access to various systems within an environment.
25:00
Now, every year, the industry measures that breakout time metric, and last year it was about 48 minutes, and year on year, we'll see that metric go down further and further.
25:11
Now, what's interesting is that the fastest metric that we've seen within cyber, where adversaries have been able to compromise a system and then laterally move across the organization is about 51 seconds, and that's less time than it will take for me to actually finish this slide right.
25:29
Now, Marks & Spencer, for example, was a very public example.
25:33
It wasn't a case where an attacker was directly targeting M &S to gain access. Instead, the breach came through a payroll provider.
25:42
Many of you will use an external payroll provider or some of your subsidiaries will use other suppliers that offer these kind of services.
25:53
And it was that supplier that was using a vulnerable piece of software and the ran a global campaign to scan the internet for exposed instances of this software.
26:04
They exploited it at scale and started stealing data from multiple organizations, not just Marks and Spencer's.
26:11
So for M &S this actually meant personal and financial data of its employees and customers was exposed.
26:21
What's interesting is that there was no ransomware encryption of systems. There was no ransomware demands. This was a pure and simple theft of data.
26:32
This meant for Marks and Spencer's, the financial impact as a result of this incident was in the region of about 300 million pounds.
26:41
It stopped their operations at scale, eroded customer trust, and really started to identify gaps in third-party oversight.
26:53
Now, this is new reality that we're waking up to, that identity driven and supply chain led attacks aren't just starting to shape the threat landscape that that we're facing and you're facing, it's actually starting to define it.
27:10
Next slide Luke please.
27:15
Thanks Majid, yeah as Majid mentioned according to the poll data the biggest worry was ransomware, whereas 92% of all cyber attacks are the result of human error.
27:28
So cyber criminals will take advantage of the human trust factor and use that to either steal credentials or infect with malware.
27:41
But moving on to building resilience, we need to secure the supply chain, as Majid was alluding to.
27:46
Breaches such as the M &S one don't necessarily happen through their own systems but through trusted vendors who have access to networks.
27:55
So you need to treat supplier risk as its own risk.
27:59
Timely patching, threat intelligence is critical.
28:03
If we look at vulnerability management, the vulnerability on that M &S case was exploited within hours.
28:09
So it shows the importance of continuous patch management and the ability for your third parties to demonstrate that that in place. Also, to prepare for the inevitable.
28:20
The speed of these attacks means that response times must be rehearsed continuously.
28:26
We often do cyber incident response exercises on a range of different types of cyber scenarios. So, data theft, ransomware, and so on.
28:35
And the response needs to be different for each of these in order to be the most efficient.
28:40
Include your third parties in your test plans, as well as internal teams like legal and finance, just to ensure that the whole business is responding to the tech in an efficient manner.
28:53
Looking at encryption, limit what is shared with third parties, ensure that data is encrypted at rest and in transit, and also assume that any third party can be breached.
29:05
Under identity, enforcing things like multi-factor authentication goes a long way to reducing the risk of a cyber attack, restricting privilege user access as well, and also monitoring for unusual login behavior.
29:21
And something we'll touch on later with AI, there are tools that, for example, a receptionist account.
29:28
Let's just assume that the lady at reception works from 9 a.m. to 1 p.m.
29:35
and Monday to Friday, the AI tool in the background learns the sort of method of login and her usual patterns.
29:46
All of a sudden, that account is used at 1 a.m. on a Sunday.
29:49
The system can automatically recognize that this seems malicious and block the type of cyber attempt or cyber attack attempt.
29:59
So using AI will definitely help going forward as well.
30:04
Communication, so when something does go wrong, how you respond is critical.
30:08
Clear and honest communication with stakeholders and authorities will help protect brands, consumer trust, and it also shows maturity as well.
30:17
And then building resilience, assume will be breached. This helps better safeguard the environments. It's not if, it's when.
30:26
Don't just rely on certifications.
30:29
Continuously review, adapt, evaluate, and mature your security responses. Next slide, please, Luke. Yeah, so cyber attacks over to Majid.
30:45
So, I mean, some of the stuff that we're talking about in these slides isn't just theory, right, we're seeing the same playbook hit multiple industry verticals and food and beverage like Richard mentioned, it's not immune from cyber attack, right, because we only have to look at nation-states as an example.
31:05
China being a great example, they are, you know, focused on every single industry vertical to get a political and economical and the financial edge over those in those verticals.
31:19
We only have to look at some of the more recent attacks that happened over the last few years.
31:25
So we know that JBS, the world's largest meat producer, what's interesting about this one is that they were actually forced to close plants across three continents.
31:35
And in order to get operations back online, they had to pay a ransomware of about $11 million. And that was to just get operations back online.
31:47
That didn't take into consideration the rebuilding of the environments, the confidence in consumers, the confidence in shareholders and stakeholders. We saw other examples. We saw Doyle and KP snacks.
31:59
We saw products starting to disappear from shelves.
32:03
We saw with KP snacks, we saw the crippling of their distribution line.
32:07
So they had all these products in warehouses and distribution centers, but they couldn't get them out to retailers.
32:14
Consumers started to notice shortage in certain products.
32:18
We saw with the Yom group as another prime example, in one single day, they had to close 300 restaurants as a result of a ransomware attack against their environments.
32:30
Now, what, again, what's interesting is, you know, what do all these threat actors, whether it's nation state, whether it's e-crime or hacktivist, or whether it's a disgruntled employee or just an individual, you know, trying their skills.
32:48
The commonality is that they're fast and efficient.
32:53
They are financially motivated individuals or groups of individuals.
32:58
Ransomware and breaches is actually seen as a profit, you know, as a business model.
33:04
So many of you will have profit and loss.
33:07
You can relate to, they relate to this, right?
33:10
what will bring in a profit for them.
33:12
They will adapt their business models to the industry that they're attacking.
33:18
We're also seeing an uptake in the services of access brokers.
33:22
Access brokers are typically your go compare kind of supermarket kind of online comparison, right?
33:28
Where they'll sell you stolen credentials at a premium, or they will sell you bulk credentials for a few thousand dollars.
33:37
And again, these are legitimate credentials for leading FTSE 100, 250 type of organizations that will give them access.
33:46
Now, there is a concept which I often talk to customers about is, if I was to sum up the threat groups, I would sum them up as they don't break in no more.
33:59
They just simply log in, right?
34:01
They'll just take one credential or one compromised supplier and turn that into leverage.
34:05
They'll steal data. They'll stop production lines. They'll make it hurt so much so that you're forced to pay, right?
34:14
And we as an organization and the UK government will never encourage organizations to pay ransomware Because that will just that will kind of motivate other groups to carry out these attacks They are moving with great speed and efficiency.
34:28
They're moving in stealth, you know, and again going back to the poll they're deploying lesser and lesser malware to gain access to environments than they were before.
34:40
So what does this mean to you guys within food and beverages, right?
34:46
It's not just about your IT systems being down, right?
34:51
It's a disruption to your production, to your logistics, and ultimately winds up on the shelves for consumers.
35:00
And recently, a few months ago, I was speaking to a customer, and we're talking about financial and brand damage and what that means.
35:12
And one of the things that resonates well with organizations is that we can't measure these types of incidents in days.
35:20
We often now look at measuring these both financially and brand damage in years.
35:27
And that's how long it's taking organizations to recover from a cyber incident.
35:36
Next slide, please, Luke.
35:39
So let's take a look at some of the prevalent cyber attacks or the different types of cyber attacks.
35:45
We have malware and ransomware, which is malicious software that really encrypts or steals data and can hold operations until a ransom is paid or the cyber criminals benefit financially.
36:00
Interesting to note, not all cyber attacks are targeted.
36:03
So sometimes it's kind of like throwing a rod in the ocean and hoping you'll catch somebody.
36:09
So there's obviously the different avenue of cyber attack.
36:13
Then there is a service called ransomware as a service.
36:19
And previously ransomware was only for the really skilled.
36:23
Now anybody can communicate with these service providers service, and target a specific entity with ransom and benefit financially, with the provider then taking a percentage of the fees or the cuts as well.
36:38
So like the AppSoftware as a service, there is Ransomware as a service.
36:43
Moving on to phishing and whaling, these are deceptive emails that are targeting staff or executives to steal credentials or authorize payments, and they're very good.
36:56
They crafted with the same corporate logos.
36:59
It's very difficult to spot a fake or fraud email these days.
37:04
The links also seem legitimate and there are tools that can be implemented and email security tools to prevent this.
37:14
However, this is the main avenue for taking advantage of not having a correct security culture within an organization.
37:24
Insiders, so employees or contractors who either intentionally or accidentally caused data loss or security breaches and we've dealt with some cyber attacks where it came in via somebody from the inside and they were actually wanting to be malicious but owed money to a group and this group then asked them to plug a USB device inside the computer to release some of their debts in which they did so, and that's where the cyber attack came from.
37:56
So many different avenues.
37:58
Third party risks, obviously vulnerabilities introduced through suppliers, partners and outsourced services.
38:04
Another area, you might use an outsourced service provider.
38:07
If there's a shared account that these technicians use to log into your systems, is a change when one of their staff leaves.
38:15
And we've had issues like this with this in the past, where an outsourced provider had staff and some of the staff left, but the password was never rotated.
38:26
That staff member that left the employment of the organization still had access to the client's environment.
38:32
And then system vulnerabilities, which are weaknesses in software, hardware, or even configurations that attackers can exploit.
38:40
And the way you identify these is vulnerability scanning, application testing, penetration testing, And that should be done at least annually or the introduction of a new application or web service just to ensure that that attack service has been hardened and locked down from the public internet.
39:02
Next slide, please.
39:08
In food and drink, AI can obviously transform forecasting, production efficiency, customer enrichment, but obviously without the right controls it can really be easily turned against you. So use cases and benefits.
39:24
It can enhance customer experience through personalization.
39:29
It can help boost efficiency in production, logistics, and admin.
39:35
There's an improved forecasting for demand, supply, and maintenance.
39:40
And if we look at the dependencies and the So AI relies on large data sets, quality data sets, and having governance and guardrails is crucial to ensure that the use of it is ethical, that it is reviewed and monitored correctly by staff as well, and to understand and manage sector-specific risks before the deployment of AI.
40:08
If we look at the cyber threats impact, AI increases the tax scale and sophistication.
40:14
So criminals are using AI for phishing fraud and deepfakes.
40:19
You've seen those deepfake notes.
40:21
We've actually seen one that a client has received and it was a video from the CFO requesting for a payment change to be made.
40:31
They add a sense of urgency because it then makes human not follow the controls or standard payment controls And in this instance, it was bypassed and a payment was made.
40:43
So sticking to controls Reviewing things if you're unsure about something pick up the phone and speak to the person AI systems themselves can also be targeted and manipulated.
40:56
So staff without the correct guardrails could be typing information into to an AI, a gen-based AI tool, in order to get some efficiencies or to help them with a bit of data.
41:08
And that can be stolen on the internet.
41:14
Next slide, please.
41:17
Over to you, Majid.
41:19
Cool, so here's a challenge, right?
41:23
Within our organization, within our respective organizations, we're gonna have a top tier of third parties.
41:29
And these are critical third parties that are critical to your day-to-day operations, and we tend to know who these third parties are.
41:42
When we start lifting the hood and start looking at the lower tiers, what we find is our top tier suppliers may be about 100 or 200 suppliers.
41:51
But when we start looking at the lower tiers, we obviously then start identifying more and more involved in our day-to-day operations and this number typically starts to explode right so you you then look at about thousands of suppliers involved in your day-to-day operations.
42:07
Now what's important is that not all of these suppliers are equal right but the reality is that all of these suppliers are connected in to your environment in ways that actually matter and could have a consequence as a result of them being breached.
42:25
We need to take a step back and look at this from a pragmatic approach.
42:29
We need to understand the supplier criticality. Which suppliers hold your sensitive data?
42:35
Which of those suppliers has access to the data and which of those suppliers could take you down as an organization if they're compromised?
42:44
Now many times our procurement teams will rely on questionnaires as a means to gain a level of assurance on security control of our suppliers and they're good to a degree.
42:59
Certifications are also a good start but again they will only cover a small subset of the controls that the supplier looks after on your behalf.
43:10
We and you guys as an industry we need to start verifying some of the information that's going back from our suppliers.
43:16
We can't just assume everything at face value on paper that they're secure.
43:24
If there's one thing I would encourage you to take away from the last couple of slides I've talked about is that remember your suppliers and the threats that your suppliers are facing are actually now your threats by extension.
43:42
And many of us, we struggle identifying the threats in our own environment, we now have a new instance where we have to take into consideration the threats our suppliers are facing because they could have a technical or material impact on our organisation.
44:03
We also need to have visibility across our data lifecycle.
44:07
So everywhere your data has been, will be today or will be tomorrow, you need be able to have control over that data? Who can access it? How do you limit access?
44:20
How do you monitor the tools that are being used to it?
44:24
And more importantly, do you have the mechanisms and controls in place to sever that connection between you and the supplier in the event that they get breached?
44:35
And then finally, Rich talked about the concept of And I think this is a really important concept to kind of look at because we can't assume we're secure because we have a certification or we have the latest and greatest tools.
44:54
You have to assume a compromise will occur and this will feed directly into your maturity within the organization from a cyber perspective.
45:04
Your incident response plans should also, really importantly, third parties are critical as part of your incident response plan.
45:14
And you should, as part of your rehearsals, as part of your tabletop exercises, include your third party scenarios into those exercises.
45:24
And then finally, the goal of these exercises and the involvement of third parties is really to limit the blast radius before a breach can happen.
45:34
And that's really how we turn a potential catastrophe that many organizations have faced into a really manageable security incident that you and your stakeholders have trusted and can manage quite easily and comfortably.
45:51
Next slide, Luke, please.
45:55
Thanks, just to finish off with some cyber considerations.
46:00
So as we said, 92% of all cyber attacks the results of human error.
46:05
So it's critical to create a security culture within the organization and train staff beyond the basics, focus on phishing, social engineering, and sector specific risks. Update and patch software, so ensure that all systems are covered.
46:23
Generally there's, and what we've noticed in the sector, is there's a good approach to patch management for the IT side, but for operational technology, the processes for maintenance, security maintenance and management aren't up to scratch in certain areas, so ensure that patching regimes cover both IT and operational technology as well.
46:45
Third party management, assessing supply and security, setting the clear requirements as Majid was alluding to, and then also regular monitoring, monitoring compliance, annual due diligence checks, with detection and response, have processes, test the playbooks, tools to identify security breaches, ensure the staff know how to make use of those tools, ensure that you have sort of playbooks or runbooks for a range of attack types, so that your response can be as effective as possible.
47:22
and cyber insurance insurer coverage matches your business needs and that there are claims processes that are fast and reliable also it's important to note cyber insurance doesn't mean that you're immune to cyber attack it's just going to help manage fallout in the response in the event of a cyber attack next slide please so some final thoughts and a bit of repetition just to drive some points. In food and drink resilience means protecting every link in the chain.
47:56
So basically from farm to fork it needs to be secured so that operations stay running, customers can stay safe, and trust stays intact. As we said, build your cyber awareness.
48:10
No one meets regulatory and customer expectations, especially for exports or international operations.
48:17
Build strong and robust foundations, understand your cyber risks, understand the roles and responsibilities, assign clear ownership of those roles and risks, and use proven frameworks to implement controls.
48:33
There's no need to reinvent the wheel, monitor against the evolving landscape.
48:40
Understand your cyber data footprint.
48:42
So, map all your third parties as Majid was alluding to, your suppliers and your data flows.
48:48
You can't protect data assets if you don't know where they are or where your data exists.
48:54
See your data value from an attacker's perspective.
48:57
What would they target?
48:59
How would it be of value to them?
49:01
That will help you redesign some of or improve some of your security programs.
49:05
And then conduct regular reviews.
49:09
Perform incident response exercises.
49:13
You can design them on a range of different incident types, and as I said, the response is different in all of these different types.
49:19
A response for data breach or for ransomware is completely different.
49:26
Set clear expectations and be prepared.
49:29
Your policies and procedures must be practical and relevant.
49:33
Avoid generic boilerplate texts.
49:36
As I mentioned, have a cyber incident response plan in place and test the multiple scenarios and make resilience a cultural habit.
49:45
Keep cyber security friends of mind, regular training and reminders, and create that security culture.
49:52
If somebody's made a mistake and they've clicked on a link, make sure that they're not afraid to let you know, share that culture around the organization.
50:05
Thank you very much Richard and Majid, quite a sobering presentation I would say, and hopefully lots of sort of food for thought, some great insights and I know from particular experience you know you've worked with a number of our food and drink clients across the UK and have given them you know some great support in terms of how to prepare for something that feels like there's an inevitability that something will happen and it's how you they'd react at that point. So thank you very much for that presentation.
50:43
The slides will be shared afterwards with everyone who's signed up and attended as well.
50:48
But we've got a little bit of time for some Q &A. So there are some questions.
50:55
I think you'll be able to put questions into the chat function. Yep, some more are coming through.
51:01
So first question is, how do you measure the level of secureness or become certified to a level?
51:13
Sorry, what was the last part? How do you measure the level of secureness?
51:16
How do you measure the level of secureness?
51:19
And I guess that's in the context of being secure against a cyber threat or become certified to a level.
51:26
So I think that's meaning certified to label in terms of your defences?
51:33
That's a very good question.
51:35
There are multiple frameworks and certifications that can be achieved.
51:39
So for example, cyber essentials, and that's really in the name.
51:44
It looks at the essentials to ensure that you're providing some basic control to protect data security.
51:52
Then there are frameworks like NIST maturity, ISO 27001, that really will demonstrate that your organization has taken advanced measures to ensure that there is proper IT controls and a framework in place to secure the environment.
52:12
Okay, thank you very much.
52:14
Next question is, how can SMEs build cyber resilience without the budget or in-house resources of larger businesses?
52:29
It's very challenging. Cyber security isn't cheap.
52:34
However, there are many tools, a lot of the systems that are in use nowadays, software as a service.
52:43
Half of those utilities and services and features, security features that are included with it, are not actually utilized.
52:50
Generally, the system will be implemented and it's the base configuration that's used.
52:55
There doesn't need to be more outlay, but those can be configured and enhanced, security controls adjusted, and it will greatly increase the security response.
53:07
AI can also help with understanding legislature regulatory requirements, and it will help better policy and procedure, and it will help you to identify what should be protected.
53:19
Obviously, you would need to have somebody trusted within IT that can guide you in the correct direction as well.
53:26
Thank you, and I guess a lot back to your point, a lot of this is human error, so it's actually raising the awareness of the need to be vigilant for, as you say, some form of phishing type attack is something that, I guess, doesn't cost money as such.
53:43
It's just, I guess, engendering that kind of perspective across the whole organization.
53:49
So as you say, any organization can do that.
53:56
I'll just add to that if I may as well.
53:59
I was just going to say, I mean, certifications are great as well.
54:03
I think it's also imperative as part of any certification or initiative is to make sure that you've got your senior management team on board, right?
54:10
They need to understand what, you know, they've got strategic aims and objectives of what they need to do at their level and what they're trying to secure.
54:20
So you need to be able to articulate the risk in terminology that they understand because they're not going to understand everything and all the acronyms associated with cyber.
54:31
You know, your your CFO wants to understand it from a financial impact, you know, brand image from your marketing leads and stuff like that.
54:40
So make sure you include your your executive team as part of any initiative related to cyber or actually any technology initiative, right, because they want to be able to see a return, right? Yeah, that makes sense. Thank you.
54:56
Another question for you.
54:57
Have you seen any good examples of organizations that have assessed their supplier base to give a view of cyber resilience from field to fork?
55:10
And if so, what are the key things they doing differently. So yeah, I'll start with this. Majid, you can jump in if you have anything to say.
55:22
Yes, we've seen some standardized due diligence processes that will include a standardized checklist for cybersecurity minimum requirements.
55:34
So does the third party that you're conducting business with hold something like Cyber Essentials or ISO 27001?
55:42
If it's a data center, do they have SOC type 1 and type 2 certifications in place, which means that they've had an independent third party verify that their environment meets certain security requirements.
55:56
And there are systems that will continuously analyze and conduct dark web searches against specific third parties.
56:05
It will examine if they maintain their certification status, which needs to be renewed each financial year or each annual year as well.
56:15
And the only other thing I would add to that is, and those points are exactly the same points I was going to come out with, but I think there is a different dynamic as well.
56:28
As organizations, you need to make sure that your suppliers contractually understand what their requirements are.
56:35
There needs to be roles and responsibilities between you as a customer and your suppliers that it needs to be written into contracts or denments to contracts, that they need to maintain a level of maturity and resilience when it comes to cyber, right?
56:51
Don't be afraid to include that as part of your procurement life cycles or include that into your contracts with existing customers.
57:01
And then finally, don't be shy to ask your security teams kind of conduct a mini audit with your suppliers, you know, where they can have a workshop, understand what their maturity levels are, because paper's great, but unless you kind of do that extra bit of validation, I think that's where the disconnect is sometimes when we speak to organizations. Building audit rights into contracts, yeah. Thank you, thank you.
57:30
I think we've got time for one last question.
57:33
Given the pressure on margins in the industry, where should we prioritise investment, preventing attacks or responding to them?
57:47
I think a balanced approach works best, so prevention is generally more cost-effective, especially for common threats like phishing, weak passwords and outdated systems.
57:58
However, response capability like testing backups, simulated incident response exercises and trained staff ensures you can recover quickly when prevention fails.
58:10
So I think all areas need to be looked at, but a balanced approach works best.
58:17
OK, thank you very much.
58:19
Can you just put the slides on to the last slide, please?
58:29
So there's a QR code which gives you access to our cybersecurity report, which is really informative.
58:36
in addition to the slides that we'll share shortly with you.
58:40
So I think that's us, bang on time, 11 o 'clock.
58:44
So thank you very much for your attendance today.
58:48
I certainly always find these sessions informative.
58:52
I learned far more about the depth and breadth in terms of how we are working with clients, but also, you know, from what I've heard with clients across the food and drink sector, this is a concern.
59:02
So hopefully what it's done is it's given you some more insights, maybe a lead, maybe allow you to focus on what you can do next.
59:08
And as ever, we'd be delighted to talk further, either to share deeper insights or engage to support in some way.
59:15
So please bear us in mind for audit tax and consulting that we can do to help.
59:21
So thank you very much, and we will see you again very soon.
59:26
If you can just close it out, that'd be great.
59:29
Thank you. Thank you.