LAS VEGAS — Consumer packaged goods (CPG) companies are investing more in data and automation to streamline their operations in light of a labor shortage. Gathering data, connecting equipment and increasing remote work all leads to vulnerabilities in cybersecurity.
“It’s not if you’ll be attacked; it’s when,” said Donna Ritson, president of DDR Communication, during her presentation at Pack Expo Las Vegas, held Sept. 27-29. “It doesn’t matter the size of your business. it doesn’t matter if you’re a manufacturer or a large CPG. The cyber criminals will come after you.”
In fact, Ms. Ritson cited several statistics revealing how prolific this problem has become. Thirty-three percent of all cyber incidences in quarter two of 2020 were in the manufacturing sector. Small businesses made up 28% of all breaches in 2020, and 10% of small businesses that experienced a security breach in 2019 closed permanently.
“They aren’t going after you personally, they are going after the vulnerabilities that they find while searching for an opening,” she said.
Most cyber attacks come from three sources: bad actors or cyber criminals, insider sabotage, or inadvertent mistakes by employees. Common attacks include phishing, spam, IP theft, ransomware, compromised web pages, trojan horses, supply chain attacks and Distributed-Denial-of-Service attack.
When developing a cyber security plan to head off these attacks, Ms. Ritson recommended starting with a comprehensive risk assessment. Vulnerabilities go beyond log in information and email accounts.
“Every single connection at an operation needs to be considered, both IT and OT,” Ms. Ritson explained.
IT, or information technology, focuses on security for ERP systems, email, HR, CRM and other office systems. OT, or operational technology, focuses on technology on the plant floor such as PLCs, SCADA/HMI systems and sensors. These two departments must coordinate to have the most secure solution to cybersecurity.
The second point of any action plan needs to be data storage. Where and how is data collected, transferred and stored? These points represent a point of vulnerability to attack. Separating networks internally can keep bad actors from infiltrating the entire network with one attack. For example, companies can isolate machine networks from office networks.
“By separating that, you’ve already got a level of if they get into your email systems, they can’t get all the way to the plant operations,” Ms. Ritson said.
Updating equipment software and networks continuously also ensures they are the most protected. It’s also important to tightly control access to networks. And companies should always have an emergency recovery plan that is constantly being updated to meet new threats.
This plan should include back-up systems, so that the company won’t be beholden to any bad actors holding the network or data hostage. All employees should be aware of the plan and how to report incidences.
“Everyone should know what the plan is, what it entails and how to enact it, just like a fire drill in school,” she said. “If you have a cyberattack, people need to know what action do we take and what does that look like.”
This speaks to the importance of training when it comes to cybersecurity. Employee mistakes are a vulnerability bad actors can take advantage of, so teaching employees how to recognize a cyberattack and what to do to avoid them or when they do occur is critical to the security of the business.
Employees should be trained regularly on how to identify phishing emails and be given guidance on how to report suspicious activity when they encounter it.
“It’s about bringing them in in a collaborative effort and educating them about the mission to keep the company safe,” Ms. Ritson said.
The boom in remote work and the move toward data and automation have made cybersecurity more important than ever for businesses to consider. With an action plan, best practices, and continuous improvement and training, CPG companies can protect themselves from these threats.