Manufacturers Likely Cybersecurity Targets, Say Experts: Tips & Strategies for Fortifying CPG IT Systems
While cybersecurity protocols have long existed within CPG operations, with technology advancing at record speeds, consumer goods companies have had to battle against increased vulnerabilities.
It’s not just smaller companies that are at risk either. One need only look at Clorox’s IT breach to see the repercussions of a cyber breach within a major CPG organization: interrupted distribution, lost consumers, and a significant recovery period. This is why Clorox and other companies like 3M, Hanesbrands, and Church & Dwight have made recent investments to bolster their cybersecurity, integrating automation and AI along the way.
Of the 90% of CPG and retail executives who plan to increase their investment in IT or emerging tech over the next year, 20% report cybersecurity as their highest priority, while 21% will invest in supply chain and 31% in AI or ML and GenAI, according to EY.
The question for many CPGs is where to begin? To shed light on this, cybersecurity tech providers and consultants from the consumer goods industry share with CGT the best practices and strategies for identifying the top areas of vulnerability, what foundational tech CPGs need to protect against threats, and how to achieve cybersecurity buy-in from leadership and stakeholders.
Also read: 2024 Supply Chain Trends from Gartner
Identifying the Vulnerabilities
There are three main areas of concern according to Mayank Ranjan, SVP and regional head of consumer, retail and logistics at Infosys: hackers, corporate espionage, and insider threats. Much of these stem from reliance on multiple cloud vendors to meet supply chain, manufacturing, marketing, sales, and customer engagement needs and therefore struggling to centralize data security solutions, leaving space for risk. The larger the cloud footprint with different systems integrated within it, the larger the risk exposure.
This is especially important within the supply chain. Since suppliers have access to an organization’s systems and data that are critical to operations, companies should continuously look within the supply chain to test for risk, says Steve Muszak, partner and distribution market leader of cybersecurity services at IBM Consulting.
“CPGs should focus more on operational technology (OT),” adds Muszak who says manufacturing companies are especially at risk as they are the No. 1 industry targeted by attackers. “These are soft targets for an attacker and hit at the heart of many CPG’s businesses.”
Ransomware attackers heavily rely on the availability of OT environments, according to Charlie Lewis, partner at McKinsey & Company. Should CPG manufacturers get hit, they are more likely to shut down their OT environments and pay ransoms to restore operations due to weak OT network segmentation and identity and access management (IAM) programs.
Some supply chain attack techniques include brute-force attacks, the exploitation of software and configuration vulnerability, social engineering, malware infection, counterfeiting, and physical attacks, according to the World Economic Forum.
Also read: Learn more about how IT breaches can impact CPG supply chain operations.
Fortifying IT Systems
Several base capabilities are recommended to strengthen security and reduce risk, particularly among complex IT and OT networks. Among them are IT asset management, lifecycle management, IAM, vulnerability management, and third-party risk, says Lewis.
It’s the foundational capabilities that are key, says Lewis. “CPGs, like many other companies with complex IT and OT networks, face a variety of risks that can have outside business impact, such as disruption of production operations or leakage of sensitive IP, and require a set of minimum controls to reduce those risks.”
While IT asset management is not always a cyber capability, he says, it’s important that enterprises know their assets, their criticality, owner version, etc., so there can be remediation and restoration following an attack. Within lifecycle management, attackers typically look to exploit systems no longer maintained, and so keeping up with regular updates limits the likelihood of an attack, says Lewis.
Additionally, Lewis recommends:
- Using various aspects of the IAM capability, specifically multi-factor authentication to reduce inappropriate access and user access reviews to ensure the right people have access. Those who no longer need it should be removed.
- Addressing vulnerabilities across the tech stack within service-level agreements. Based on criticality, this naturally reduces risks and can tie into broader IT asset management programs.
- Knowing where critical business processes rely on third parties, how resilient those third parties are, and if there is a concentration of risk across the environment.
“Building an integrated program with broader procurement processes improves third-party risk outcomes,” says Lewis. “These capabilities, while not exhaustive, start the process of preparing organizations to reduce the most critical risks by applying relevant controls against critical assets.”
Once these are established, Muszak recommends building an incident response plan that is tested frequently. Early detection and rapid response are key. CPGs should adopt a muscle memory approach to ensure ongoing resiliency.
Additionally staying aware and keeping employees and team members informed is highly effective in reducing risk. Lewis recommends the CPG workforce undergo board crisis and phishing simulations within their companies so they are prepared ahead of any attacks.
Winning Over Leadership
While CPG enterprises largely understand the importance of protecting their IT systems from cyber attacks, tech stack upgrades and investments can often be costly with AI and ML integrations. How, then, can companies convince board leadership of the value of implementing some of these necessary improvements?
CIOs should focus on the business risk impacts due to cyber-attacks when communicating with leadership, says Lewis. Being overly technical or focused on maturity does not demonstrate risk reduction ROI.
Organizations can also focus on the significant cost hurdles a cyber threat poses. In consumer goods, costs for the average breach studied came in at $3.8 million — ranking tenth among all industries — according to IBM’s 2023 Cost of a Data Breach Report.
“Gaining buy-in for these investments often involves demonstrating the potential risks and the tangible benefits of improved security posture, such as reduced downtime and protection of sensitive consumer data,” says Ranjan.
Another effective method is convincing the C-suite to test leadership in crisis across communications, legal, and IT through simulation programs.
“When the leadership of an organization can understand and feel what this is like firsthand and the implications to their business, buy-in quickly follows,” said Muszak.
