Why Grocery Is A Prime Target For Cyber Attacks

It's no secret that cyberattacks are on the rise, but the threat has reached a critical level in recent weeks, with President Joe Biden issuing a new warning of potential Russian cyberattacks in response to economic sanctions. He said that while the federal government is using every tool to "deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure," they can't defend against the threat alone, as most of America's critical infrastructure is owned and operated by the private sector.

Biden has called on American businesses—particularly those in key areas like utilities, hospitals, and food distribution—to accelerate efforts to "lock their digital doors" to prevent further attacks.

Do you think this warning doesn't apply to smaller independent grocers? That's a common misconception that could lead to disaster down the line.

If you think that as an independent grocer you are not at risk, you're mistaken," Millennium Digital Technologies President and CIO Ken Andrews said.

"This is an existential threat to an independent grocer, so we need to get ahead of this before our industry is in the cross hairs."

According to Andrews, these attacks are happening more often and closer to home than you think. Small, local grocers with busy management, slim margins, and potentially vulnerable technology systems are particularly susceptible to an attack.

Andrews knows what he's talking about. He and his organization have spent nearly 25 years dedicated to making businesses like grocery stores more reliable and secure, reducing their risk against cyberattacks. At February's The NGA Show in Las Vegas, Andrews led the Independent Grocers Alliance-sponsored education session, Ransomware: The Biggest Threat To Your Business May Be One You Aren’t Even Thinking About, where independent retailers shared their stories about being hacked while Andrews offered advice on how retailers can protect their businesses moving forward.

"What you're not hearing is the behind-the-scenes rumbling in cyberblogs," Andrews told the audience. "We've found evidence that they had planned cyberattacks two months back before Russia attacked Ukraine. We would be fools not to take into account that while there is a physical conflict, they are ready to launch a cyber attack that doesn't require boots on the ground. They're talking about food supply, wholesalers, grocers."

Cyber attacks run the gamut, from a simple phone call to a coordinated hack on multiple systems, with loot between a few hundred to millions of dollars. The average ransomware attack costs businesses an average of 15 days of downtime and over $500,000 in payouts, shutting down POS systems, exposing customer and employee data to identity thieves, and infecting business partner systems.

These attacks are happening more often and closer to home than you think. Small, local grocers with busy management, slim margins, and potentially vulnerable technology systems are particularly susceptible to an attack.

Attack: Phishing Phone Calls

Nakul Patel, owner of Mt. Plymouth IGA in Sorrento, Florida, said his store has experienced hackers placing online orders using other people's payment information, as well as phishing scams over the phone.

"The cashier will pick up the phone, and someone says, 'I'm from this company,' and they're phishing for information," he said. Despite working with his eCommerce company, they haven't been able to reduce these calls or stop the false charges. In fact, he is trying to bring in someone to help with these security issues, but it has been difficult. "It's hard enough to find someone to run a cash register for us, let alone IT," Patel said.

But even with a dedicated IT person for his single store, Patel wouldn't be protected enough from these and more sophisticated attacks. Steve Kasper, director of MIS at North State Grocery, said that while he can strengthen the security for their systems on the back end, there is only so much protection that offers. "It's the front door that they're going to go through."

Which is exactly the problem Patel has experienced. As he mentioned, people call the store and speak with his employees to get seemingly harmless information, like a manager's name and phone number. They then use that information to place false orders, like Gary Massengill, general manager of Retail Data Systems, saw recently, when hackers called a store asking for access to a work station, under the guise of being from IT at the corporate office. They were able to place a large order with a party supply company using the store's account.

At one of North State Grocery's 22 stores, someone called a cashier, saying that "Steve from IT" wanted them to rub the access codes off of gift cards. Kasper said the cashier did it, giving that criminal hundreds of dollars of free gift cards by mistake. "You have to educate your users," he said, to prevent those front-door attacks in addition to the sophisticated back-door attacks.

Attack: Spam Email Links

What do the back-door attacks look like? It can be as simple as a link in an email. John Abbene, president of BRData, said a couple years ago, one employee of a 50-store chain clicked a link in an email that caused a huge data loss, affecting multiple servers across the enterprise. "Luckily, they had some data in the cloud that was fine," adding that it took daily phone calls for several months to get the stores back up and running.

"If you think it won't happen to you, it will if it hasn't already," Abbene added, saying he has seen stores of all sizes get hit, from 50-store chains to 30-store chains, and smaller. "I had a 3-store group on the East Coast who had no backups, so they lost everything and had to rebuild it all from scratch."

Attack: Artificial Intelligence

While many of these examples demonstrate that a little employee education can go a long way toward protecting you from an attack, there are more sophisticated programs and artificial intelligence (AI) out there to evade even the best IT director's efforts. "The targeting we're seeing now is extremely granular, which is how they get in," Andrews said. Some programs will drop code into your systems without doing anything. "It's a 'sit and wait' style," he said. "You won't see anything—all of your systems will work." But they are gathering data for later attacks, which adds a "massive amount of risk to our businesses."

So what can you do to protect your business, whether you're a 50-store grocery chain, a one-store shop, or a wholesaler responsible for an entire region of grocery stores?

Prevention: Start With Basic Education

The IGA Coca-Cola Institute offers a class on cybersecurity, which introduces the topic and teaches the students about ransomware and phishing, two types of harmful and fraudulent attacks. Students will also learn how to protect oneself from and identify future cybersecurity threats. All employees should take this class, as they are all at risk of a cyberattack.

Prevention: Enlist A Dedicated Resource To Monitor Your Systems

President Biden has called on American business to "lock their digital doors," and that includes grocery store owners. Why? Because cybercriminals are now targeting businesses with a higher likelihood of ransom payment, Andrews said. "The grocery industry fits their preferred target perfectly—any impacts to the food supply will receive a lot of attention and there are unfortunately technical weak links that can be exploited."

What are those weak links? All of the vendors and technologies in the typical grocery environment is a potential conduit for cybercriminals to gain access to your systems. And once they're in your system, they have the potential to infiltrate those vendors and exploit thousands of locations simultaneously.

Get ahead of this risk with a dedicated, independent resource watching your security. They will secure, monitor, and report on your systems so that you know exactly where you stand—good or bad. If there are problems, they can work with your other vendors to resolve those issues until the reporting shows your systems are secure. At that point, it just becomes a process to monitor and maintain the systems over time.

That's what IGA's Cyber Security program does, covering all of your needs, including: