Last October, I had the privilege of discussing basic steps to help businesses protect themselves from a cybersecurity attack, as well as outlining the threats that directly impact the fresh produce industry.
The bottom line: There is a significant chance that your business will experience a breach. In fact, 61 percent of all small and midsize businesses have reported at least one cyberattack during the previous year.
What’s more, a recent study from Cisco found that 40 percent of the small businesses that faced a severe cyberattack experienced at least eight hours of downtime. And in the perishable world of fresh produce, this kind of down time is significant and may give competitors an opportunity to win business.
The solution is having a plan in place to deal with an incident with minimal downtime in your production, also known as incident response (IR) planning.
What is an IR Plan?
The IR Plan is a playbook for how your organization will respond to a disaster. A disaster can take many forms ranging from a sustained power outage at a data center to a criminal attack.
Creating a plan involves planning for the worst possible situation. For example, a cryptolocking event is where criminals lock you out of your technology systems unless you meet demands, such as paying a ransom. This is what happened in the Colonial Pipeline attack that happened early last year, which shut down production and resulted in shortages.
IR planning often goes together with disaster recovery planning, which is a step-by-step approach for preparedness for teams in charge of technology systems. Typically, this is written down and tested to ensure that in the event it is needed, each department knows exactly what they need to be doing to ensure the company can recover quickly and efficiently with minimal downtime.
Key Components
While each organization will vary based on their individual needs and abilities, the following are some key items to include in a written IR plan:
Internal Communication. When an incident occurs, clear communication is critical. You must communicate effectively to your employees about the next steps and how this will affect their ability to get their job done. They must understand the scope of the disaster and, ideally, when the systems will be back up.
Ensure that you have a process to communicate should technology systems, such as email or chat, be down. You cannot rely on email if email is not available. Some companies set up text groups ahead of time to relay information.
You will also need to communicate to your executives and, in many cases, a board of directors, about what’s happening in real-time.
External Communication. You must also plan on how to communicate with customers, vendors, law enforcement, insurance agents, and potentially the media. Will you actively tell your clients? My recommendation is that you are open and honest about the situation. Ag is a small world, and they will know quickly. The larger customers are most likely already tracking you through various tools that monitor the Dark Web.
It is also a good idea to engage law enforcement. The FBI makes it easy to report concerns and they keep things confidential. One other benefit is that you will be able to tell people that you are working with law enforcement if you inform them. This can also highlight your organization’s dedication to engaging with external agencies as a gesture of goodwill in a tough situation.
If there is a chance you will file a claim, you will want to engage your cyber insurance team early in the process. Many have procedures that you must follow to submit a claim. They also may have tools that can be used to help with the situation. Because of all these audiences, any crisis response team should include communications professionals.
Involving Outside Teams
As part of your IR planning, you should consider whether to involve an outside team of consultants. One point to consider is that these attacks often come in waves across an industry. It is highly likely you are not the first to be hit by these criminals. Therefore, bringing in a team that has been through the attack before can help get to a resolution quicker and more securely.
Oftentimes, there are professionals who have experienced similar attacks and already have a playbook of their own for how to proceed. I live by the adage: Lessen the pain of your situation by learning from others.
As for implementing an IR plan, while there is a heavy IT component to IR planning, it is not purely an exercise for the people who manage your technology systems and their ability to get things done. It is critical to get buy-in from the entire leadership team across the organization on how incidents are reported, communicated, and resolved.
Common Misconceptions
When we are talking to clients in the agribusiness and fresh produce industries that have been around awhile, a typical response to the IR planning initiative is to go back to the way they did business “before.”
They feel they can always go back to paper, because “it’s how we used to do it.” This means before technology streamlined operations and became an integral part of the supply chain.
However, it is important to note that the world surrounding agriculture has changed: quality assurance (QA) and processing speeds are different, demand is greater, more complicated orders come in, and it’s not just lettuce being loaded onto a truck anymore.
Companies today significantly rely on IT systems and solutions. The speed and complexity that ag-focused businesses operate in make incident response more challenging.
IR planning takes the realization of the importance of technology from an organization’s leadership, which is a significant step toward realizing operational maturity. Technology leaders from your company must be involved in this process because they must look at the systems in use, understand how they work and what they do, and evaluate them to develop a plan to respond to an incident.
With a solid plan in place, you can minimize the impact of a disaster and even use the event as an opportunity to strengthen your business for the future.