Strategies for supply chain resilience: keeping your business cybersecure

With leading food and drink businesses still reeling from the impacts of recent devastating cyber attacks, it’s never been more critical to make your food industry cyber defences a business-critical issue.  

Not so long ago the responsibility for food industry cyber security fell solely to a CIO, CISO or even an entire IT security department. But the scale and impact of attacks in the last 12 months have made it abundantly clear that’s no longer an option for food and drink businesses.  

In April 2025, a ransomware attack against M&S halted online orders for weeks; sent automated stock systems offline; and breached customer data, including names, addresses and order histories. The cyber attack is thought to have cost the retailer somewhere in the region of £300m.

A concurrent attack at Co-op is also thought to have compromised both ordering and logistics systems, with reports of empty shelves and supply chain disruptions. Again, customer and employee data was accessed.  

Then a few months later, in July 2025, United Natural Foods Inc (UNFI), the primary distributor for Wholefoods in the US, was forced to take operations offline after hackers infiltrated their systems.   

And then just this week, Cloudflare, the US company that looks after the security for millions of websites suffered a serious outage. The tech firm, described as an internet “gatekeeper” by the The Guardian, provides services to food industry businesses such as Just Eat and Ocado. The company said the issue wasn’t a hack but an internal error due to a configuration file growing beyond its expected size and crashing software. Everyone from Canva to ChatGPT and X were affected.  

These are only a handful of the high-profile cyber breaches that have taken place over recent years.  

Interpol estimates that a cyber breach now takes place once every 39 seconds globally, costing some $18m per day, with food and drink businesses particularly vulnerable.  

Reliant on complex, interconnected just-in-time supply chains, the global agri-food sector is not only dependent on legacy systems and technologies more exposed to cyber attack, but it increasingly houses significant volumes of sensitive customer data too – making it a prime target for hackers looking to exploit and / or sell data on the dark web.  

The impact goes far beyond the bottom line too, with significant brand and reputational repercussions for those organisations targeted in an attack.   

Yet, the sector has also been accused of chronically underinvesting in defences.  

A report by Specops Software (citing UK government data) found that food firms invest far less on cyber-attack prevention than many other sectors — about £1,080 per year, on average. That compares to £22,050 by finance and insurance firms.   

So, what needs to change to bump food industry cybersecurity best practices up the priority list – and shore up defences against a growing number of attackers?  

 Why cybersecurity should be a commercial priority

The first step is perhaps a mindset shift: make cybersecurity everyone’s problem.   

If responsibility rests solely with an IT team already navigating the impact of rapid digital transformation such as a more digitised, automated supply chain, then it’s unlikely to get the attention it deserves – nor will the weaknesses that attackers exploit be fully addressed.  

1. Establish a supply chain cyber risk baseline

First, ensure all employees within an organisation, where possible, develop a baseline understanding of how hackers can gain access and their role in identifying and preventing breaches.  

This includes training on:

• the importance of strong passwords
  
• how to secure devices
• defending themselves against phishing attacks
• how to report immediately

2. Evaluate third-party suppliers & contractors

M&S confirmed that the breach of their own systems occurred via a third party – and risk outside an organisation is fast becoming a primary attack vector for cybercriminals.  

In fact, according to the 2025 Verizon Data Breach Investigations Report (DBIR), 30% of breaches now involve third parties. That makes this a critical step.  

Carry out thorough, ongoing risk assessments of third-party cyber protocols. This could include:  

• Security questionnaires to gather initial information
  
• Penetration testing to validate claims
• Reviewing security certificates and compliance reports (like ISO 27001 or PCI DSS)
• On-site audits for high risk vendors

3. Demand food industry cybersecurity is a C-suite priority

• Educate your leadership on the commercial and operational risks
• Ensure all strategic decisions are aligned with food industry cybersecurity concerns
• Monitor performance and embed cyber-aligned metrics in the core KPIs

Develop robust cybersecurity defences

With everyone in an organisation on board, cyber hackers will already have a far tougher time trying to breach defences.  

But with food and drink business often reliant on legacy technologies when it comes to automation, there are also plenty of technical loopholes that need to be addressed to ensure those defences are suitably robust.  

How to evaluate your level of supply chain cyber risk

Hackers can breach systems through various methods, including social engineering techniques like phishing, exploiting software vulnerabilities, using malware to gain unauthorised access, as well as what’s known as distributed denial of service (DDoS), which targets websites and services in a bid to exhaust an application’s resources.  

To understand where vulnerabilities might lie, thoroughly check systems using a combination of:

• Vulnerability scanning tools and services: With a huge number of products in the market here, some specialised and some with a broader remit, it can be tricky to select the right option. This guidance from the National Cyber Security Centre might be useful.   
• Penetration testing: This sits alongside functional testing of security controls and is used to identify the level of technical risk emanating from software and hardware vulnerabilities. 

What action can you take to improve your cyber defences?

Of course, the responses required to improve cyber defences off the back of such tests will vary widely from organisation to organisation, but there are a few broad principles to follow.  

These include:  

• Network segmentation: dividing up systems into smaller isolated segments so that if one is infiltrated, it’s far easier to contain an incident.
• Multi-factor identification (MFA): At a minimum this should be two-factor, i.e., an additional proof point alongside a password, such as a code from a phone or email account. But for businesses with higher risk levels, such as particularly sensitive data, MFA could extend to 3 or more factors or take into account biometric data, such as fingerprints. 
• Zero trust architecture: Simply put, never trust, always verify. By applying this design principle to digital ecosystems, cyber strategies assume that no user or device should be trusted by default, with continuous verification at every level, and users granted the least access possible to carry out their role.  

Why inaction now is a ticking cybersecurity timebomb 

The risks presented by cyber attacks are only set to increase.  

Already, in 2024 there was a sharp increase in phishing and social engineering attacks, with 42% of organisations reporting such incidents globally, according to an annual report from the World Economic Forum (WEF).  

And experts expect that the combination of geopolitical uncertainty, more complex supply chains and the rapid adoption of emerging technologies like AI – both by businesses and cybercriminals – will compound the threat.  

For food and drink businesses there’s never been a more important time to act – and ensure cyber is treated as the commercial and operational priority it is.    

Want to strengthen your supply chain resilience in other areas? Then read our series of articles on the subject here. 

You can also overcome your supply chain visibility and traceability challenges with our Supply Chain Mapping tools. To learn more, download your free brochure.