"Cybersecurity in floriculture: 'We are as strong as the weakest link'

Digitalisation is being embraced by the sector, according to the recently published Trend Report on Floriculture. At the same time, this poses significant challenges in the field of cybersecurity. This is one of the reasons why multi-factor authentication (MFA) will gradually be made mandatory for all Floriday users next year. Chief Information Officer (CIO) André van der Linden and Chief Information Security Officer (CISO) Bas Wevers warn: "Make no mistake – every month, the login details of multiple Floriday accounts are offered for sale on the dark web."

The Trend Report on Floriculture shows that 29% of growers have taken concrete steps in the area of digital security. 16% have started taking action recently. However, there is also a group that is not yet actively engaged in online safety. Only 13% of growers consider themselves fully protected against a potential hack by cybercriminals.

Fire extinguishers

"It's an alarming figure, but it confirms what we already knew at Royal FloraHolland. Cybersecurity is a subject that does not capture the imagination of many companies. It's a bit of an after-thought," says CIO André van der Linden. "Your digital environment is just one of many business assets that need protecting. Just like your premises or vehicle fleet. If you ask a business owner if they have fire extinguishers, they will say: of course. But the probability of fire is lower than the probability of a hack or cyber attack. It is a fact that many SMEs, including those in floriculture, are insufficiently protected digitally."

Floriday login details for sale on dark web

Cyber attacks are not as remote a concern as business owners may think. "Make no mistake: every month one to two members are affected by data theft," says Bas Wevers. He has been CISO at Royal FloraHolland since 2021 and previously he worked for over 15 years in similar positions at organisations in various industries. "The log-in details for their Floriday account are stolen and offered for sale on the dark web (an online marketplace where criminal data is traded).This has now become such a common occurrence that we have standard scripts for communicating about it. We'll let the companies affected know about it. They're usually glad to hear about it from us, as otherwise they wouldn't have known. So far, the impact has been limited, but if login details are sold to someone with malicious intent, the damage could be significant. Floriculture is a large and economically important sector. And therefore of interest to cybercriminals." 

Economic and reputational damage

Worst case scenario? According to André, there are three: "If growers are hacked, there is no supply on our platform. If buyers are hacked, there is no demand. And if we get hacked ourselves, there is no marketplace. With this, we're talking about availability, but then there is also data integrity. What if the quantities provided are wrong? Or there has been tampering with sustainability certifications?"

Bas adds: "In all cases, this results in economic damage. It also damages confidence in Royal FloraHolland. And that in turn causes reputational damage. The headline 'No flowers on Mother's Day' is one of the biggest nightmare scenarios as far as I am concerned."

André: "So we have to invest to keep the supply chain working. Otherwise, we will suffer as a cooperative. You are as strong as your weakest link. Cybersecurity is truly something we must share together."

Awareness is the starting point

"It begins with awareness," André argues. In this, Royal FloraHolland also sees a role for itself. "We invest a lot in our employees' awareness of cybersecurity. But as a cooperative, we have a responsibility towards the sector." Bas emphasises that Royal FloraHolland can support business owners in various ways. "It is difficult to protect yourself digitally. Business owners often don't know where to start. And cybercriminals are developing new tactics all the time. We are actively investing in informing growers and taking the first steps with them. Partly on our initiative, the Greenport Cyber Resilience Centre was established in 2023. We also offer our members a free cyber subscription with crisis exercises, regular cyber updates and wide knowledge sharing within the sector."

Mandatory MFA

The (upcoming) obligation to make multi-factor authentication mandatory was introduced in consultation with growers, buyers and Royal FloraHolland, in the Sector Platform consultation. Bas: "This is a first step in making things a lot harder for cybercriminals to strike. In addition, companies can do many other things. In some areas, we at Royal FloraHolland can play a role in this. But most things really need to be tackled by companies themselves." On the Royal FloraHolland website, you will find tips and articles about various cybercrimes and how you can protect yourself, your colleagues or your organisation.

Growers do it for themselves

There is still plenty to do in raising awareness about the how and why of cybersecurity, André concludes. "Some business owners think they are doing all this for Royal FloraHolland, to keep our systems and data safe. But ultimately, we are doing this for improving cybersecurity and data security for growers themselves. If account details are stolen, supply in Floriday may not be correct or purchases may be made at incorrect prices."

Continuous process

Even a major incident does not create lasting awareness. Andre: "There have been occasional incidents where companies in the industry have been affected by ransomware. Ultimately, this happened at a time when there was little trade and a solution could be found quickly which meant the damage was not too serious. But even so, it was a scare for everyone in the industry. Cybersecurity becomes a key concern for a few months, but then attention wanes again. This demonstrates that we must continue to share knowledge with each other and continuously keep raising awareness. Because there will come a time when this will no longer be a distant memory. By then, it's probably too late. We must prevent this from happening; for the growers and buyers, for Royal FloraHolland and for the sector.”