Industry experts have a word of warning for food industry leaders in 2025: your business is susceptible to cybersecurity attacks.
In 2023 alone, the U.S. food and agriculture industry was hit with no less than 167 ransomware attacks, according to a report by The Food and Agriculture-Information Sharing and Analysis Center.
“With limited resources and a lack of cybersecurity expertise, the food industry is vulnerable to cybersecurity attacks that can cause deadly results. This comes as global conflicts rise and malicious actors target critical infrastructure,” noted Matthew Taylor and Tony Giles, senior executives with NSF, a global public health and safety organization.
Recent examples of F&B companies impacted by cybersecurity incidents include:
- Jollibee’s data breach, which impacted other food retailers
- Panda Express’s cyber attack
- Stop & Shop’s cybersecurity incident in November, which impacted the supply chain
- Starbucks is dealing with the aftermath of a ransomware attack on Blue Yonder, the company it relies on for its payment and scheduling software
Cyberattacks and data privacy breaches can, of course, result in a business’s reputational harm, not to mention weakened engagement and operational disruptions. In the F&B world, cyberattacks could impact new product line details, marketing plans, employee information or client lists, delay production schedules, and leak sensitive information.
Lack of staff security and awareness training are among the leading cybersecurity risks these days, experts note.
“Some organizations don’t know how or where to start to protect themselves, even reusing passwords, exposing them to a breach,” NSF noted in a statement sent to The Food Institute.
Experts’ suggestions for building a cost-effective cybersecurity program include the following:
Verify the identity of those you correspond with. Doing so, after all, significantly reduces the risk of phishing attacks (where a known customer’s email is spoofed to request payment to a new account number) or fraudulent purchase orders.
“Picking up the phone and making a call – either to the person you’ve been dealing with in the case of a phishing attack or to the main company number and requesting to be transferred to the buying agent – can prevent financial losses,” said JJ Van Aman, vice president of sales with Coughlin Insurance Services. “We have seen these phone calls save hundreds of thousands of dollars.”
Implement robust access controls. Ensure that only the bare minimum number of employees have access to critical controls. This makes it easier to identify anyone who isn’t following cybersecurity rules and to enforce additional training, NSF noted.
Promptly apply patches and updates. Your business’s IT leader must ensure all assets, including laptops, servers and firewalls, are quickly fixed when necessary – and updated.
Mandate unique passwords. Passwords should have a combination of uppercase and lowercase letters, special characters, and numbers. Additionally, businesses should use multi-factor authentication (MFA) for all employees accessing digital platforms. Enforce a schedule for MFA updates and changing passwords regularly (NSF suggests at least twice per year).
Prepare for the worst. Include a cybersecurity plan in your risk management and business continuity plans. Conduct practice drills to make sure every team member understands their duties and can execute them during an incident.
Several free resources are available to the F&B industry, such as KnowBe4 cybersecurity training and NSF CyberSecure – software that helps businesses pinpoint where their current security stands and where it may need additional protections.
“People often rush through their tasks and forget to follow the security measures,” Van Aman noted. “Regular training sessions to maintain awareness are key to preventing cyber-attacks.”
Some third-parties offer ISO/IEC 27001 certification, which provides a framework for managing cybersecurity risks.
“Investing in information security can lead to significant cost savings,” NSF’s Taylor and Giles noted. “Companies should regularly test their cybersecurity plan to ensure it’s comprehensive and prepare for potential breaches and attacks.”
The Food Institute Podcast
How does one ride the skate ramp in CPG? Dr. James Richardson, author of Ramping Your Brand and owner of Premium Growth Solutions, shares some of the pitfalls many early-stage CPG brands make, and highlights some of the pathways to success.
