Cybersecurity has for years been a concern way down the food chain for produce companies, relegated to a topic of relatively minor importance when compared with the pandemic-driven logistics crisis, the rising cost of inputs and much more. But the sector’s vulnerabilities came into the spotlight in February of 2023 when Dole plc — an industry behemoth — made headlines for reasons its executives scarcely could have imagined.
A cyberattack, which took the form of a ransomware hack, resulted in the temporary closure of production plants in the United States, shutting down some of the company’s supply systems, according to a memo issued by Dole to grocery retailers on Feb. 10 and first reported by CNN. Although the company noted the impact was limited, there were reportedly days of shortages of Dole salad kits and other products in several U.S. states.
A subsequent filing with the US Securities and Exchange Commission on March 7 revealed the attack had also caused disruption to Dole’s Chilean production-export arm and its fresh vegetables division. It also admitted that employee information had been compromised by the security breach. In its first-quarter earnings report published in mid-May, the company said the ransomware attack cost $10.5 million in direct costs.
That incident is not isolated in the sector. In May, Fresh Del Monte Produce — another giant of the produce industry — notified employees of a recent data breach following a cyberattack. It said an unauthorized party was able to access parts of the company’s computer network, including certain files containing confidential employee information.
If two of the biggest companies in the industry with vast resources are vulnerable to cyberattacks, it is likely that many other organizations are also at risk.
The Cyber Challenge
For Greg Gatzke, president and founder of San Jose, CA-based ZAG Technical Services, an information technology consulting firm, the need to implement cybersecurity for any company working within the produce sector is now critical. “If we think about our industry, products don’t get fresher,” he says. “You’re on a timeline. If you’re not able to produce, ship and deliver, you are losing that store time. So, it is extremely critical.”
Gatzke — who founded ZAG in 1998 to provide support for companies in the form of IT infrastructure, security work and business intelligence — has worked almost exclusively with the agriculture sector since 2006, having come from a farming family in Wisconsin himself. As such, he is concerned that although larger companies now appear to be taking cyber threats seriously, smaller producers still appear to be largely ignorant of the danger.
“Agriculture has a lowest-cost, small margin, fast turnover of product,” notes Gatzke. “Everything is designed to be against cybersecurity, because who has the extra dollars to spend on it? But will the customers pay for it because they are always driving margins down?”
Sem Ponnambalam, president of Xahive, another cybersecurity specialist, argues that protection from malicious cyberattacks should be taken extremely seriously by the produce industry, especially from a food-security perspective.
Rather than simply being viewed as the domain of a company’s IT department, Ponnambalam says consideration of security at a cyber level needs to become embedded in the overall governance of a business. “I don’t think many companies understand the importance of cybersecurity,” she says. “So much of production now depends on IT, and with the introduction of AI, companies have to be extremely careful.”
Much like the ransomware used in the Dole attack, criminals will typically try to gain control of companies’ systems from the exterior. If tactics — such as malware disguised as legitimate emails — are successful, their first step will be to encrypt the system so the target is unable to access it.
The result in many cases, says Gatzke, is an Enterprise Resource Planning (ERP) system — which organizations use to manage day-to-day business activities — that is unusable, in addition to employees not being able to access their emails and the failing of basic functions across the business. “Without computers, you can’t print labels, you can’t invoice, you’re not able to communicate with your customers via email: It’s a total outage,” he explains.
Although Electronic Data Interchange (EDI) — the electronic interchange of business information — has enabled the produce industry as a whole to become much more efficient, the reliance of companies on such systems means that if EDI communications are taken down by a cyberattack, a business can become untenable. For smaller companies in particular, an attack can leave them unable to place or process orders, in effect placing them in limbo.
A further tactic used by fraudsters is to seek personal identifiable information, such as social security numbers, and threaten to release it publicly. Personal employee details were again targeted in the February 2023 cyberattack on Dole.
Cyber Safety Recommendations
So what can companies do to protect themselves or — if the worst happens — ensure they can get back up and running within the shortest period of time? As a first step, Ponnambalam recommends sensitive, personal information, such as financial details, be encrypted, which puts such details far from the easy reach of cyber-criminals. “If a server gets breached, the presence of unencrypted data leaves a company wide open to fraud,” she says. Secondly, Ponnambalam suggests businesses large and small consider taking out cyber insurance to ensure that if they do suffer a cyberattack, the financial consequences are not catastrophic.
However, she says a lack of sufficient communication at all levels of a company can impede the effective implementation of cybersecurity strategies. “Oftentimes, a lot of organizations will provide information to IT teams or senior management about suspected breaches, but will forget to notify employees and third parties,” says Ponnambalam. “There needs to be communication throughout companies and across the supply chain.”
Gatzke says companies need to focus on stopping cybersecurity breaches and, if they do take place, to try and recover within 24 hours or less. “Beyond 24 hours, you are impacting your ability to produce, to support your clients — and you are putting your company at risk because other people may swoop in and take some business,” he says.
More severe impacts, notes Gatzke, can range from distributors being impacted through a shortage of programmed produce for restaurants that won’t be able to open. “Generally, we see people being able to recover in 24 hours, and it becomes more of a flesh wound than something that truly impacts a business, but we have seen companies take 10-14 days and in those cases, it can become transformational for those organizations in a bad way,” he says.
Owners need to understand they are not just dependent on IT, but that their businesses cannot function without it, says Gatzke. “IT is about ensuring business continuity,” he says. “Engaging with IT will help ensure the future of your business, so that if you are hit, you can recover within 24 hours.”
Gatzke also recommends training ‘across the board’ to facilitate a better understanding of IT processes companywide in order to ensure the right setup is in place for protection if an attack occurs. “People make mistakes, and those mistakes are oftentimes how criminals get in,” he says. “IT professionals sometimes say that ‘users are the weakest link,’ but in reality, they should be the first line of defense.”
According to ZAG Technical Services, companies should also use Multi-factor Authentication (MFA) everywhere within the organization to significantly mitigate unauthorized account and network access attempts. By requiring multiple forms of verification, MFA makes it significantly harder for intruders to gain access to systems, thereby enhancing the security of sensitive data.
Regularly backing up data and taking system snapshots is another crucial preventive measure. The ability to restore your systems within 24 hours of a cyber incident significantly reduces the potential damage and downtime. This approach ensures that even in the event of a severe cyber incident, your business can quickly bounce back to normal operations.
Protecting systems also involves deploying robust defense mechanisms such as antivirus software, anti-malware programs, and website or Domain Name System (DNS) filtering. These tools act as gatekeepers, detecting and eliminating potential threats before they can infiltrate your systems and cause harm. Similarly, implementing free solutions like Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) can significantly reduce phishing attacks. Equally important is keeping systems patched and up to date, treating them like any other piece of equipment that requires regular maintenance. Patching systems help fix vulnerabilities that hackers might exploit.
Moreover, creating a disaster recovery plan that includes procedures for natural disasters, power outages and hardware failures ensures the continuity of operations even under unforeseen circumstances. Organizations should also have an incident response plan in place. Such a plan, which should be thoroughly tested, helps manage the response to a cyber incident promptly and effectively, minimizing potential damage.
Using advanced passwords is another significant step. Additionally, using a unique password for each account decreases the risk of multiple accounts being compromised if one password is cracked.
Finally, supply chain risk assessments are crucial, as companies’ cybersecurity posture is only as strong as their weakest link. Even if your own cybersecurity measures are robust, weak security in your suppliers’ networks can expose your systems to attacks. Therefore, regularly checking your suppliers’ cybersecurity practices should be part of your cybersecurity routine.
Signs for Optimism
With – in Gatzke’s words – a “continuous stream” of cyber-incidents now occurring across the produce industry, there is evidence businesses are making protecting themselves against such threats more of a priority. However, at the same time, he says that such threats still need to be taken more seriously at a senior, boardroom level to ensure businesses can survive and recover in time to suffer no ill effects.
Like Ponnambalam, Gatzke thinks a simple lack of knowledge may be hindering the adoption of cybersecurity technologies on the small producer side, and here he says the presence of the ProduceSupply.org (PSO) may be helpful. A consortium of North American produce suppliers that aims to facilitate technology adoption in the supply chain, the PSO has issued a series of cybersecurity guidelines written in plain English, which Gatzke thinks form a good starting point for any company looking to improve cybersecurity.
“One trend I like is that people are getting less embarrassed about cybersecurity breaches, because they are seeing large companies get hit, and they are seeing the U.S. government get hit,” he says. “We need to get rid of that shame factor because that’s how we can get stronger. Criminals use the same tack over and over. If we share that publicly, we can achieve that strength.”
Failure to act, says Gatzke, can lead to a loss of ability to produce, a loss of ability to ship with the right labels, sky-high legal fees, and overall recovery costs that can easily run into millions. “My belief is it’s critical to take the right steps to ensure criminals don’t get in,” he adds. “And then if they do, it’s doubly critical to be able to recover quickly.”