By: Mark Sangster, Vice President and Industry Security Strategist, eSentire
Martin Luther, the famous German theologian and religious reformer, is credited with saying “Beer is made by men, wine by God.” Had he lived another 475 years, he likely would have added that “Cybercrime is made by the Devil.” And, he wouldn’t have been too far off.
Cybercrime is insidious: It knows no borders and as we’ve seen, knows no bounds. In fact, a report from Cybersecurity Ventures predicted that the global cost of cybercrime will reach $6 trillion USD this year. According to the 2019 Cost of Cybercrime study by Accenture and the Ponemon Institute, the average cost of cybercrime to a U.S. organization was $13 million — a significant sum. And, a report from my own company eSentire found that cybercriminals netted more than $45 million in the first four months of 2021 alone. But before you start thinking that means cybercriminals only go after the big guys, consider the fact that it’s small and medium-sized businesses (SMB) that are the primary targets for data breaches (Data Breach Investigation Report, Verizon 2020).
To be sure, there are threat actors that are out to make trouble, whether it’s disrupting critical fuel pipelines or, like the modern-day equivalent of sleeper agents, quietly accessing classified systems to gather top-secret information or cripple it at a later date. However, what most companies encounter comes as the result of unadulterated greed from a run-of-the-mill cyber crook. Just like your average street criminal, these people attack businesses because that’s where the money is. And like it or not, SMBs, such as family-run wineries and vineyards, make for low-hanging fruit. Cyber attacks on the wine, spirits and beer industry have ramped up in the past year including hits on Brown-Forman, E & J Gallo Winery, Molson Coors, and the Campari Group.
The Earth Is Mine. (What About Your Network?)
On the one hand, it’s a brave new world for the farming and production aspects of winemaking, thanks to automation advances. But on the other hand, a great deal of manual labor is involved, and despite advances, the wine industry is still considered very much old-school, lagging behind other industries when it comes to the use of technology.
When you consider the production process from grape to glass, some of the greatest risk of cyber exposure lies on the farming side. Growing the perfect grape comes with a lot of moving parts, and like other production businesses, enterprise resource planning (ERP) systems are in place to track a variety of processes, from what pesticide was applied on which date, to the costs involved, etc. Whereas how these things are tracked will vary from vineyard to vineyard, the common denominator is that in most cases the people interacting with these systems are predominantly field workers who might not be the most tech-savvy. Add to this the fact that many front-line remote systems are loosely managed and run on personal field laptops or mobile devices, and you have an ideal attack vector.
Regardless of whether you are operating a small, family-run vineyard or have a large-scale wine operation, you face an even greater risk each time you sit down at your desk. The vast majority of cyberattacks begin with malware, typically embedded in an attachment sent with a seemingly innocuous email. Maybe it’s an invoice from a distributor you work with, maybe it’s your bookkeeper asking you to review a document, or maybe it’s a complete stranger, hoping you’ll slip up, open his attachment, and launch a malware script that will encrypt your data until you give in to his demands.
While unsecured computer systems and mobile devices are common attack vectors, it’s safe to assume that as your operation grows, so too does your attack surface. Now wine operations have barcoded, inventory-tracking devices that are used on a remote workflow in the field. That information is fed into a central ERP system that’s tied to another automation system, and so on throughout the production process, as tank temperatures and acidity levels are monitored. Then, too, consider the controls that regulate humidity levels inside a facility or the transfer of wine from tank to tank. Any and all of these systems can be tampered with and if they are, it can negatively affect the end product and your business.
Data, Decanted
Outside the confines of your vineyard or winery lie even further risks. Supply chains are attractive targets not just for the information they hold but the damage they can inflict if disrupted. Distributors, especially smaller ones, often track depletions manually and share updates via email. Consider the example of a small warehouse in Kansas City that might have 20 pallets of your wine and little to no security solutions in place and then consider how quickly a threat vector could spread via a spreadsheet attachment.
On the retail side of wine operations, both on- and off-premise operations, offer up other strike zones. Each of these channels has its own supply and inventory management systems that track activity all the way out to individual shops, bars, and restaurants, which again, may or may not have the strongest security posture.
Nor can you overlook the direct-to-consumer aspect. Customer relationship management(CRM) systems that are used to manage your wine club or market tasting events hold a wealth of personal information, not to mention credit card numbers. They’re gold mines for those looking to sell that information on the Dark Web for a tidy profit and scarily enough, you might never know you’ve been compromised.
Just Enough Rain to Stress the Vine: A walk in the cloud(s)
In the face of myriad risk and attack vectors, it’s tempting to take the path of least resistance, and send up a prayer that you’ll be among the lucky ones to not suffer a cyber breach. But in today’s climate, that’s risking a lot more than bottle shock. Companies today, regardless of their size or industry, need to assume that it’s not a matter of if they will be targeted by cyber crime, but when. Depending on your size and budget, running a full-scale Security Operations Center might not be in the cards, but there are steps you should be taking to protect your business today and in the future:
● Suspicious emails should trigger the same reaction as a wine that’s corked. Avoid it at all costs. Phishing emails are a popular attack vector, and unless you know what to look for (and how), you are putting yourself and your company at risk each and every day. Educate your staff on what to look for and make sure that whatever training they receive is specific to the vineyard/wine industry. People like to think they won’t fall for the “Congratulations! You’re a winner” emails, but are they prepared to investigate those emails from your attorney or best vendor? Additionally, you should ensure that your department systems are segmented, preferably using the principles of Zero Trust. That way, if one person accidentally opens a malicious email, they won’t be granting a hacker access to the whole system.
● Maintain Security Hygiene: Network systems need to be maintained and cared for just as you would oak barrels. Security hygiene is a critical component of cybersecurity and at the very least should include:
1. Regularly patch and update your software You’d be surprised at the number of breaches that could have been avoided simply by keeping software systems patched and up-to-date. It’s estimated that a third of all data breaches come as a result of unpatched vulnerabilities when patches were available. (Looking at you, Equifax).
2. Two-Factor Authentication Is a MUST . Make sure to implement two-factor authentication around all of your company’s key software applications and systems, providing an additional layer of security. Never, ever reuse passwords across accounts or devices, and if your budget allows, implement solutions that employ a Software Defined Perimeter (SDP) approach. Be aware, however, that while these solutions offer advanced security, because they are more complex they are costlier; plus, there are the added costs associated with hiring staff who have the proper expertise to manage them.
3. Operate on a need-to-know-basis. In general, it’s a good idea to limit the amount of network access your employees have — compromised accounts can be used to create shadow employee accounts which in turn can be used to move around a network. It’s especially important that top-level executives and owners aren’t given the full set of keys to the kingdom just because they’re the boss. Senior-level employees and owners are prime targets for cybercriminals looking for ways to infiltrate a system and move around with impunity. Someone might ask why your front-desk staff is nosing around a payroll system, but no one will question the boss.
4. Virtual private networks (VPN) are more than a good idea. They provide secure and encrypted connections between systems (files shares, email servers, etc.) and ensure that your communications can’t be intercepted.
5. Lock down your operational technology (OT) systems and ensure that they are not left internet-facing.
● Automation technology is complicated and protecting it, even more so. You can’t assume that everyone further down the supply chain is taking a serious approach to cybersecurity or even knows where to start. It’s incumbent on you to protect your business, so talk to the experts. Be sure to talk with your insurance providers, legal team and other key vendors to ensure you have a plan in place for when the inevitable happens.
Something to Think About
Too often, companies fail to adequately protect themselves against cybercrime, because they are laboring under a trifecta of misconceptions:
● “We’re not a bank or even a household brand name so we aren’t a target.” This is a prime example of absolutist thinking and the harm it can cause. To the thief, even the poorest person has something worth stealing.
● “We could never defend ourselves against massive ransomware gangs and state-sponsored actors so why even try?” When it comes to the average cybercriminal, Thomas Crowne they are not. That said, there’s no reason to stand up when the bullets are flying. By carrying out basic cyber protections you can reduce your risk by up to 80 percent.
● “We never saw it coming.” In the world of cybersecurity, by the time you see the red flag, it’s too late. Heed the little signs. They won’t all pan out to be cyber attacks, but when things go bump in the cybernight, it usually means there’s a monster there. It just hasn’t struck yet.
The wine industry has a long and storied history and holds an important place in culture and daily life. From small vineyards to wine conglomerates, there are financial gains to be made for the hacker looking to grow his ill-gotten gains. By following some basic steps, you can ensure that cyber criminals are the only ones claiming sour grapes.
About the Author
Mark Sangster is vice president and industry security strategist at eSentire. He is the author of No Safe Harbor: The Inside Truth About Cybercrime and How to Protect Your Business. Mark is an award-winning speaker at international conferences and prestigious stages including the Harvard Law School and RSAConference. He has appeared on CNN News Hour to provide expert opinion on international cybercrime issues, and is a go-to subject matter expert for leading publications and media outlets including the Wall Street Journal and Forbes when covering major data breach events.
