Cybersecurity is more important now than ever to every sector because cyberattacks are becoming increasingly frequent. According to the EU Agency for Cybersecurity (ENISA), ransomware attacks increased by 150% between April 2020 and July 2021. This increase was caused in part by the pandemic. Remote working, greater e-commerce sales, and increasingly digitalised business operations have resulted in companies and organisations becoming increasingly reliant on more devices connected to both the internet and a corporate network. This has expanded the attack surface that threat actors are presented with, and that companies and organisations must secure.
The consumer goods sector has been alerted to the new challenges it faces. This is largely thanks to high profile attacks on consumer goods companies such as Mondelez and Reckitt in 2017, and JBS in 2021. Serious attacks in other sectors, such as the attacks on SolarWinds, and Colonial pipeline in 2021, have exposed the vulnerability of modern IT and OT systems more broadly.
Accordingly, the consumer goods sector has invested more in cybersecurity. Between 2020 and 2021, cybersecurity hiring by consumer goods companies roughly doubled, and cybersecurity hiring in 2022 will exceed 2021 if the current hiring rate is maintained. In addition, mentions of cybersecurity in the filings of consumer goods companies have increased year-on-year since 2016, as has the number of consumer goods companies mentioning cybersecurity in their filings.
However, cybersecurity has not yet been incorporated sufficiently into the corporate strategies of most consumer goods companies. Firstly, very few consumer goods companies have added their chief information security officer (CISO) to the board of directors. The accelerating digitalisation of business operations and increasingly menacing cyber-threats mean corporate strategy needs to take the CISO’s full perspective into account. This is difficult to do via intermediaries.
Secondly, many consumer goods companies explain which areas of ESG they are prioritising with a materiality matrix- a scatter diagram that positions issues such as water usage and climate change according to its potential impact on the business and its importance to stakeholders. Most of these materiality matrices underestimate the importance of cybersecurity, data security, and privacy. For instance, Danone’s matrix ranked data security and privacy the least important ESG issue facing the company. The latest General Mills materiality matrix didn’t even include cybersecurity or data privacy.
Cybersecurity impacts every area of a consumer goods company’s operations. It applies to both IT and OT. Installing the right technologies in the right places and cultivating the right skills in the right workforces requires informed long-term strategies. These cannot be realised without cybersecurity’s true importance being acknowledged and acted upon in the boardroom.