How a Contract Food Manufacturer Keeps Recipes Out of Hackers’ Sticky Fingers

Food and beverage brands pride themselves on their distinctive formulas, often held as closely guarded secrets. Yet the small and middle-market suppliers they work with don’t always have adequate cybersecurity infrastructure, opening them up to hacks with the potential to reveal precisely how the sausage is made.

No one wants to fall victim to a cyberbreach, yet small and midsize business leaders often fail to arm their organizations with the right resources for preventing an incident. Nor do they appreciate the wide-ranging benefits that come with disaster preparedness, according to speakers at ACG Chicago‘s Midwest Manufacturing Conference in March.

The conference’s “Leveraging Technology to Achieve Operational Excellence” panel explored this topic through the lens of Pure’s Food Specialties, a midmarket Chicago-based maker of snack foods for large U.S. retailers, wholesalers and consumer packaged goods companies. Richard Schatzberg, chief commercial officer for NeST Technologies Corp., moderated the discussion.

In response to a cyber incident in late 2017, Pure’s decided to “batten down the hatches,” said Vice President of Finance David Sekalias. “Our IT was right for our current stage, but not the future.”

The company decided to partner with outsourced technology providers to address the incident and take its enterprise resource planning system to the next level.

Going It Alone

Incidents like the one experienced by Pure’s continue to proliferate. Harvard Business Review reported in May on findings from the IBM Data Breach Report, which looked at 550 organizations impacted by a data breach over the past year. The study found that 83% had experienced more than one incident.

The threat of a breach can be especially acute for smaller organizations with a lean staff. One of Pure’s IT partners, BJ O’Reilly, chief technology officer at SWK Technologies, noted the risks posed when small and midsize companies try to manage all their tech needs in-house with a small IT team.

Related content: Teaching Active M&A Dogs New Privacy and Cybersecurity Tricks: 5 New Approaches for Serial Acquirers

For one, there’s the threat that IT staff will exit the firm, leaving behind little or no institutional knowledge about the company’s systems and protocols. And even if they stay, they likely have gaps in their expertise. “No one person knows everything,” said O’Reilly. “It’s impossible.”

Holly Huels, co-founder and managing partner of private equity firm Holleway Capital Partners, spoke on an investor panel at the conference titled “Driving Value, Managing Risk and 2023 Investment Expectations.” Asked about cybersecurity diligence, Huels recalled evaluating a company and speaking with the sole IT professional at the business. “When we met him, we asked him about cyber, and he said, ‘I’m not a cyber guy,’” she recalls. “The self-described head of IT said, ‘I’m not a cyber guy.’ And that is really, really frightening.”

Holleway evaluated the target’s cyber posture during due diligence, Huels added, and has a team ready to step in on Day 1 to shore up security as soon as it owns the business.

Amassing an Army

In Pure’s experience, working with an outsourced service provider with a large team that can support in-house staff has given it access to critical resources and guidance. Now, with Pure’s third-party IT and cyber relationships, Sekalias said, “I feel like I have an army behind me.”

Those reinforcements are vital, especially when it comes to protecting intellectual property: Many of the headlines about IP theft stemming from cyber operations involve state-sponsored groups stealing cutting-edge technology. CBS News reported in May 2022 on a Chinese state actor believed to be responsible for dozens of hacking incidents. “We’re talking about Blueprint diagrams of fighter jets, helicopters and missiles,” Lior Div, CEO of Boston-based cybersecurity firm Cybereason, told CBS News. In pharmaceuticals, “we saw them stealing IP of drugs around diabetes, obesity, depression.”

Related content: Planning an Exit: Where does Cyber Risk Fall?

Although Pure’s products don’t intersect with U.S. defense programs or pharmaceutical drugs, it faces a distinct set of threats as it looks to protect the IP of its partners.

“We’re unique as a contract manufacturer because we have access to intellectual property,” including product formulas and processes of large, well-known brands, Sekalias said. A cyber breach could make that delicate information public. “It can’t happen,” he added. “It’s an absolute non-starter.”

Building a Moat

Bernie Barbaric, senior vice president of managed services at 7 Layer Solutions, another of Pure’s partners on the panel, pointed to the spectrum of cyber protections available to businesses. They range from simple, low-cost steps like upgrading an organization’s Microsoft Office 365 license to enable more robust security controls, to more advanced and expensive solutions like artificial intelligence-based email protection. Deciding on the right defenses ultimately comes down to risk tolerance. “Cybersecurity is all about layers,” Barbaric said. “The more layers you put in place, the safer you’re going to be.”

The more layers you put in place, the safer you’re going to be.

Bernie Barbaric

7 Layer Solutions

The work that Pure’s engaged in with 7 Layer Solutions and SWK Technologies included gap analysis and risk assessments that led to tightened security, data backup protocols and disaster recovery plans. Those efforts benefited Pure’s beyond the obvious security advantages; they also positioned the company to continue doing business with key customers, many of which send out surveys to their suppliers seeking information.

In one example, around 2020, one of Pure’s customers was auditing suppliers’ business continuity plans. Because of the work Pure’s had already done with its technology partners, the company was able to present a thorough document laying out its plan. “The customer was blown away,” Sekalias said.

The ability to supply this type of information is critical to customer relationships, he added. “It’s one thing to get in the door. It’s another to execute.”

According to the conference’s investor panel, food and the food supply chain are among the subsectors of manufacturing and distribution that are likely to be active for M&A throughout 2023, due to the fragmented market in which they operate and their reputation as recession-resistant.

Cybersecurity will almost certainly be a key consideration as investors look at these businesses, to ensure they’re not buying a target at high risk of leaking its secret sauce.