The impact of cybersecurity on the consumer goods industry

The matrix below details the areas in cybersecurity where consumer goods companies should be focusing their time and resources. We suggest that consumer goods companies invest in technologies that are shaded in green, explore the prospect of investing in technologies shaded in yellow, and ignore areas shaded in red.

Almost every layer of the consumer goods value chain will rely on employees using company devices that are internet and network-connected to communicate, create content, and operate or oversee machinery. Consequently, device access needs to be controlled by identity management. Network security, endpoint security, threat detection and response, email security, and unified threat management are all needed to achieve adequate visibility over what is being communicated within and between IT, OT, and IoT networks. They will pre-emptively filter out any malicious content directed toward these networks and prevent unauthorised persons from gaining access to the network.  

Cloud security and data security are needed to ensure stored data is sufficiently protected from thieves and other malicious players. Application security is needed to prevent applications used by employees from becoming points of vulnerability. Vulnerability management and risk and compliance services are needed to provide internal and third-party perspectives on points of cybersecurity weakness and areas for improvement. Finally, post-breach response services are essential because, eventually, every company will suffer a breach. Post-breach response services will prove invaluable in these moments.  

The cybersecurity value chain layers that should be explored are chip-based security and managed security services. Investing in chip-based security entails purchasing and installing the newest IT and OT hardware that uses cybersecure chips. However, completely retrofitting departments with the latest hardware would cause significant disruption to business operations. This is especially true for the manufacturing and distribution and logistics layers, which are comprised of both IT and OT assets. Managed security services are certainly a valuable investment. However, outsourcing security management is ultimately an operational choice. Internal teams can manage a company’s cybersecurity.  

Payment differs from the other layers of the consumer goods value chain regarding endpoint security. Endpoint security is typically not needed for payments because if a payment is made via an online store, it is made via the consumer’s device, for which the consumer goods company is not responsible. However, if payment is made in a physical store, the retailer is responsible for the endpoint security of the device on which the payment is made (e.g., a card reader). The exception is when products are sold from a store owned and operated by a consumer goods company, such as L'Oréal's store in Paris.  

Email communication does not always feature in the payment process. However, verification emails are sometimes integral. Therefore, consumer goods companies should explore the importance of email security in the payment process.

The pandemic contributed to (or outright set in motion) changes to the consumer goods sector, resulting in companies relying on more internet and network-connected devices and collecting and storing greater volumes of consumer and operations-related data. More of these devices means more potential access points to the company network for hackers. More consumer data stored on company databases means greater potential rewards for thieves.  

Cybersecurity solutions that improve asset visibility and threat detection are the keys to ensuring the changes wrought by the pandemic do not become vulnerabilities. The cybersecurity-related M&A activity in 2020 and 2021 demonstrates how the pandemic increased the importance of cybersecurity. 2020 saw the most cybersecurity-related mergers and acquisitions of any year since 2018. The total value of cybersecurity-related mergers and acquisitions in 2021 was higher than any year since 2018. This shows that the pandemic increased the importance of cybersecurity in all the ways outlined above.

As consumer goods companies have digitalised their operations, more data is collected and transmitted between more internet and network-connected devices before being stored in company databases. This has increased the attack surface hackers are presented with, the ease of navigating networks of connected devices, and the amount of data up for grabs.  

For example, laptops, IoT sensors, and AR headsets are typically connected to the company network and are always connected to the internet. Unless such devices are supported by cybersecurity apparatus such as firewalls and security information and event management (SIEM) systems, hackers can download malware onto them, take outright control of them, or use them to gain access to the wider network.  

In addition, OT assets such as assembly-line robots, programmable logic controllers (PLCs), and building automation systems are often network-connected. This means their operational output can be monitored, and they can be operated and maintained more easily. Sometimes, OT assets should not be network-connected and are only due to installation errors. As a result, digitalised business operations are at the mercy of malicious players without a strong cybersecurity foundation.

As more consumer goods purchases are made online, more data is stored by consumer goods companies (such as names, dates of birth, credit card numbers etc.). Regulatory bodies will punish companies that fail to protect their customers’ data. For example, the EU’s General Data Protection Regulation (GDPR) can inflict a maximum fine of either €20m ($21.1m) or 4% of a company’s annual turnover, whichever is higher.  

Robust cybersecurity is the only way to prevent hackers from stealing consumers’ data and will become increasingly important as ecommerce sales grow. In November 2018, L’Oréal did not adequately scrutinise coding changes made to one of its ecommerce websites by a third party. As a result, data about seven customers, including names, email addresses, and dates of birth, was exposed. L’Oréal was lucky to escape this episode with nothing more than a warning from the Personal Data Protection Commission and could have avoided this embarrassment had it more diligently overseen its cybersecurity. 

Cybersecurity addresses the security challenges posed by remote working. The corporate network houses most, if not all, of a company’s data and comprises all of the applications employees need to do their jobs.  

Before remote working, corporate networks were typically protected by a firewall and other security apparatus to keep unauthorised individuals outside the network. However, additional cybersecurity measures have become necessary as companies have increasingly adopted virtual private networks (VPNs) to provide employees with remote access to the entire corporate network.  

Unfortunately, giving employees VPN access to the corporate network exposes the organisation to increased threats from hackers and other unauthorised individuals. The solution to this problem is network security – specifically secure access service edge (SASE) and zero-trust network access (ZTNA).

Cybersecurity plays a vital role in a company’s social and governance performance. Firstly, GlobalData’s ESG Framework identifies human rights as a crucial social factor, and data breaches, if they include personal data, violate people’s right to privacy. Secondly, GlobalData’s ESG Framework organises governance factors into four distinct areas, one of which is risk management. Now more than ever, cybersecurity is a crucial aspect of corporate risk management.  

Cybersecurity breaches threaten profitability because they can cause lasting damage to digital and physical infrastructures and can badly tarnish a company’s reputation. Cybersecurity breaches also threaten employee and customer privacy. As such, a company without robust cybersecurity protocols cannot be considered a strong ESG performer and is therefore not safe from scrutiny and consumer backlash.  

Furthermore, the growing importance of ESG in the consumer goods sector is accelerating the adoption of digital technologies. For example, blockchain is now being used throughout consumer goods supply chains to ensure that where, when, and how consumer goods are produced is visible and traceable. In this way, auditors can scrutinise, for instance, whether a product was produced ethically or whether a product was made with sustainable raw materials. Integrating blockchain into supply chains expands the attack surface threat actors can exploit. Using blockchain requires specialist hardware integrated into production lines, expanding the OT attack surface. Blockchains themselves can also be hacked.

Cyberwarfare and cyberespionage have already played a prominent role in geopolitical competition and outright conflict, impacting the consumer goods sector. In 2017, Sandworm, a Russian cyber-military group, launched a large-scale cyberattack on Ukraine using NotPetya, a form of ransomware. The encrypting malware caused havoc in Ukraine and beyond, infecting companies and organisations in over 60 countries, including Mondelēz and Reckitt Benckiser. The resultant losses for both companies were more than $100m each.  

During the pandemic, state-sponsored hackers in North Korea attempted to breach Johnson & Johnson’s systems to steal intellectual property about the development of Covid-19 vaccinations. Most recently, Nestlé may have been hacked by Anonymous in March 2022 for failing, at the time, to cease operations in Russia, against whom Anonymous had declared a cyberwar weeks before over the invasion of Ukraine. Cyberattacks are clearly a big part of the challenge posed to consumer goods companies by geopolitics. Therefore, cybersecurity is indispensable for these companies.