Essential Eight: Top self-protection tips for Australian F&B firms moving to e-commerce after Lion attacks

Lion recently suffered a major cyber security attack after the firm’s systems had to be shut down after being hit with ransomware, which is essentially a form of malware that will lock up the victim’s systems and only restore access after a ransom is paid, followed by a second round of attacks that further disrupted its IT systems soon after the first.

Cyber security firm ISDefence’s Director Yvonne Sears warned F&B firms that they needed to take action to prevent similar problems.

“For all businesses, F&B included, it is important to think about your risk profile when changing any of your business systems– you need to ask about the type of new information you’re collecting, new regulations you are subject to, whether you are opening yourself up to new risks or changing existing risks, things like that,”​ she told Food South Australia (Food SA) CEO Catherine Sayer at the Food South Australia Summit 2020, which was held virtually for the first time due to COVID-19.

A recent big shift in the food industry has been for many firms to alter their models to include e-commerce in order to be more resilient post-COVID-19. With many doing this for the first time, Sears’ advice to companies is to follow the Essential Eight model in order to minimise cyber security risks to their businesses.

“The Essential Eight is an absolute baseline to ensure your business is equipped to handle a cyber security attack, [as well as to] contain, respond and recover from such an attack if it does occur,”​ she said.

“We’re talking things like information security e.g. a good antivirus and reliable data backups, patch management for your operating systems by keeping up with your software updates whether at home or in the office, and access controls like having individual user IDs and password management.”​

Apart from those mentioned above, the Essential Eight model also includes risk mitigation strategies such as multi-factor authentication and user application hardening by blocking non-essential features in browsers, Microsoft Office and PDF viewers. More information can be found here​.

Cyber attack consequences ​

The consequences of these attacks were massive for Lion, which saw disruptions to production of the many brands it brews, including Budweiser, Guinness, Lion Red, XXXX GOLD, Tooheys, and Little Creatures – even leading the firm to warn of beer shortages at one point.

“Throughout the COVID-19 shutdown, we were able to continue to brew beer safely. We had stock at hand and were gearing up to increase brewing. This attack has delayed those plans, and because of the situation we have limited visibility of our products,”​ said Lion in a formal statement on the attack.

“We’re working to bring our breweries back online as soon as possible. In the meantime, we will be managing our stock levels very closely and may see some temporary shortages.”​

Given how serious the consequences were for a large F&B firm, the impacts such an attack would have for a small or medium one would be even more devastating.

“This is why it’s important when setting up a system to ask your IT people the right questions, including what would happen if such an attack hit us? How resilient are we to such attacks? Do we fully understand our supply chain risks, and what would happen to us if someone along the chain were attacked?”​ said Sears.

“Another important one would be: Where are we along the supply chain, who do we need to inform about any attack and how do we do so? This is one thing that Lion got right, they are very clear about where they are along the chain and who to inform, and have been transparent about the situation.”​

On a wider scale, Australian Prime Minister Scott Morrison also announced on June 19 that the Australian government and industries were being targeted by cyber attacks believed to originate from 'state-based'​ sources.

"Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor,"​ Morrison via a televised statement on 9News​.

"This activity is targeting Australian organisations across a range of sectors including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure. [The frequency of attacks] has been increasing."​

"The aim of this statement is to raise awareness about these risks - which are not new, but now specific." ​

Although Morrison did not confirm the suspected source of the attacks, it is widely believed to originate from China. He also told Sydney Morning Herald ​that the national-level attacks were not related to the cyber-attacks on Lion.

Policies and regulations​

Attacks aside, Sears reminded firms that it is important to be careful when it comes to asking for and handling data when making the shift to e-commerce, as there are regulations to observe after making this change.

“The Privacy Act is the one to note when collecting any additional information from consumers. Businesses need to be considerate about the type, quality and quantity of information collected, as well as ask yourself: Do you need to be collecting that in the first place?”​ she said.

“Another item to note is that when shifting to e-commerce and processing payments online, your business will be subject to the Payment Card Industry Data Security Standard (PCIDSS).​

“Consumers will be using merchant banks or third party payment providers such as PayPal to purchase your products, and you need to make sure that any third party payment providers are secure and keeping consumers’ data secure as well.”​