Are food defence programmes ready for Quality 4.0? Perhaps not, given the findings of a recent seminar poll by global assurance provider, LRQA.
Over 80% of businesses that attended now use one or more technologies across their food safety programs, with serious implications for cybersecurity, according to LRQA’s expert team.
“It’s clear that the way we collect, manage and share information is changing fast – but every time a door opens into operations, a layer of risk is added.” says Kimberly Carey Coffin, LRQA’s Global Technical Director for Supply Chain Assurance.
Cybersecurity specialists at Nettitude – an LRQA company – agree. Stuart Wright, Head of Governance Risk and Compliance says “There is often little or no operational control over how these technologies are configured, secured or updated,” he warns. “Food safety teams need to ask, is this vendor reliable and sustainable, or could they be a stepping-stone into our cyber environment?”
In 60% of cases, delegates looked to IT and Security teams to manage cyber risk, but this creates a potential blind-spot for food safety, says Kimberly.
“Where they pertain to a food safety environment, cyber risks should not be delegated,” she says. “It can feel like the obvious move, but the focus for IT will be on systems availability and functionality - not the risk impact on confidential information such as IP, labelling, recipes, or a breach where data is relied on for food safety due diligence. The impact of cyber risk on products, processes and the safety of food has to be understood and managed and ultimately that means food safety professionals being accountable.”
Two-thirds of companies that joined the seminar are not currently testing food defense programs for cyber impact – a big mistake, according to Stuart.
“If the requirements for managing and protecting data aren’t properly defined and tested, you cannot expect the controls in place to be effective,” he explains. “Response plans used to focus exclusively on recovering IT infrastructure, but organizations are now doing a better job of incorporating cyber incident response elements. Even so, those cyber incident response plans are rarely followed to the letter and almost always come up short when forced into use.
“Testing is the only way to address this – using scenario playbooks to replicate a true, enterprise-wide response. Make it feel real. How did you cope? Where were the gaps? Then adjust plans as a result.”
Kimberly agrees. “Cyber risk affects every sector – we’re kidding ourselves if we think food is an exception – and in the food safety domain, the failure to protect technology and data from compromise, very quickly, can mean a failure to protect products, brands and ultimately, the consumer.”
As data and technology change the landscape, it’s clear that food safety professionals will need to take more ownership of the related risks. Through the Global Food Safety Initiative (GFSI), a framework exists that can be used to address all risks, not just the traditional. It’s time for cyber to get the attention it deserves.